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The first-order theory of MALL (multiplicative, additive linear logic) over only equalities is a 
well-structured but weak logic since it cannot capture unbounded (infinite) behavior. Instead 
of accounting for unbounded behavior via the addition of the exponentials (! and ?), we add 
least and greatest fixed point operators. The resulting logic, which we call /iMALL, satisfies two 
fundamental proof theoretic properties: we establish weak normalization for it, and we design 
a focused proof system that we prove complete with respect to the initial system. That second 
result provides a strong normal form for cut-free proof structures that can be used, for example, 
to help automate proof search. We show how these foundations can be applied to intuitionistic 
logic. 

Categories and Subject Descriptors: F.4.1 [Mathematical Logic and Formal Languages]: 
Mathematical Logic — Proof theory; F.3.1 [Logics and Meanings of Programs]: Specifying and 
Verifying and Reasoning about Programs — Specification techniques; F.3.3 [Logics and Mean- 
ings of Programs] : Studies of Program Constructs — Program and recursion schemes 
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1. INTRODUCTION 

Inductive and coinductive definitions are ubiquitous in mathematics and computer 
science, from arithmetic to operational semantics and concurrency theory. These 
recursive definitions provide natural and very expressive ways to write specifica- 
tions. The primary means of reasoning on inductive specifications is by induction, 
which involves the generalization of the tentative theorem in a way that makes it in- 
variant under the considered inductive construction. Although the invariant might 
sometimes be the goal itself, it can be very different in general, sometimes involv- 
ing concepts that are absent from the theorem statement. When proving theorems, 
most of the ingenuity actually goes into discovering invariants. Symmetrically, 
proving coinductive specifications is done by coinduction, involving coinvariants 
which again can have little to do with the initial specification. A proof theoret- 
ical framework supporting (co) inductive definitions can be used as a foundation 
for prototyping, model checking and reasoning about many useful computational 
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systems. But that great expressive power comes with several difficulties such as 
undecidability, and even non-analyticity: because of (co) induction rules and their 
arbitrary (co)invariants, proofs do not enjoy any reasonable form of subformula 
property. Nevertheless, we shall see that modern proof theory provides useful tools 
for understanding least and greatest fixed points and controlling the structure of 
proofs involving those concepts. 

Arguably, the most important property of a logic is its consistency. In sequent 
calculus, consistency is obtained from cut elimination, which requires a symmetry 
between one connective and its dual, or in other words between construction and 
elimination, conclusion and hypothesis. The notions of polarity and focusing are 
more recent in proof theory but their growing importance puts them on par with cut 
elimination. Focusing organizes proofs in stripes of asynchronous and synchronous 
rules, removing irrelevant interleavings and inducing a reading of the logic based on 
macro-connectives aggregating stripes of usual connectives. Focusing is useful to 
justify game theoretic semantics [Miller and Saurin 2006; Delande and Miller 2008; 
Delande et al. 2010] and has been central to the design of Ludics [Girard 2001] . From 
the viewpoint of proof search, focusing plays the essential role of reducing the space 
of the search for a cut-free proof, by identifying situations when backtracking is 
unnecessary. In logic programming, it plays the more demanding role of correlating 
the declarative meaning of a program with its operational meaning, given by proof 
search. Various computational systems have employed different focusing theorems: 
much of Prolog's design and implementations can be justified by the completeness of 
SLD resolution [Apt and van Emden 1982]; uniform proofs (goal-directed proofs) 
in intuitionistic and intuitionistic linear logics have been used to justify AProlog 
[Miller ct al. 1991] and Lolli [Hodas and Miller 1994]; the classical linear logic 
programming languages LO [Andrcoli and Pareschi 1991], Forum [Miller 1996] and 
the inverse method [Chaudhuri and Pfenning 2005] have used directly Andreoli's 
general focusing result [Andreoli 1992] for linear logic. In the presence of fixed 
points, proof search becomes particularly problematic since cut-free derivations are 
not analytic anymore. Many systems use various heuristics to restrict the search 
space, but these solutions lack a proof theoretical justification. In that setting, 
focusing becomes especially interesting, as it yields a restriction of the search space 
while preserving completeness. Although it docs not provide a way to decide the 
undecidablc, focusing brings an appreciable leap forward, pushing further the limit 
where proof theory and completeness leave place to heuristics. 

In this paper, we propose a fundamental proof theoretic study of the notions 
of least and greatest fixed point. By considering fixed points as primitive notions 
rather than, for example, encodings in second-order logic, we shall obtain strong 
results about the structure of their proofs. We introduce the logic /xMALL which 
extends the multiplicative and additive fragments of linear logic (MALL) with least 
and greatest fixed points and establish its two fundamental properties, i.e., cut elim- 
ination and focusing. There are several reasons to consider linear logic. First, its 
classical presentation allows us to internalize the duality between least and great- 
est fixed point operators, obtaining a simple, symmetric system. Linear logic also 
allows the independent study of fixed points and exponentials, two different ap- 
proaches to infinity. Adding fixed points to linear logic without exponentials yields 
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a system where they are the only source of infinity; we shall see that it is already 
very expressive. Finally, linear logic is simply a decomposition of intuitionistic and 
classical logics [Girard 1987]. Through this decomposition, the study of linear logic 
has brought a lot of insight to the structure of those more common systems. In 
that spirit, we provide in this paper some foundations that have already been used 
in more applied settings. 

The logic ^MALL was initially designed as an elementary system for studying 
the focusing of logics supporting (co)inductivc definitions [Momigliano and Tiu 
2003]; leaving aside the simpler underlying propositional layer (MALL instead of 
LJ), fixed points are actually more expressive than this notion of definition since 
they can express mutually recursive definitions. But /iMALL is also relatively close 
to type theoretical systems involving fixed points [Mendler 1991; Matthes 1999]. 
The main difference is that our logic is a first-order one, although the extension 
to second-order would be straightforward and the two fundamental results would 
extend smoothly. Inductive and coinductive definitions have also been approached 
by means of cyclic proof systems [Santocanale 2001; Brotherston 2005]. These 
systems are conceptually appealing, but generally weaker in a cut-free setting; some 
of our earlier work [Baclde 2009] addresses this issue in more details. 

There is a dense cloud of work related to /iMALL. Our logic and its focusing 
have been used to revisit the foundations of the system Bcdwyr [Baclde ct al. 2007], 
a proof search approach to model checking. A related work [Baclde 2009] carried 
out in /iMALL establishes a completeness result for inclusions of finite automata 
leading to an extension of cyclic proofs. The treatment of fixed points in /iMALL, as 
presented in this paper, can be used in full linear logic (/iLL) and intuitionistic logic 
(/iLJ). /iLL has been used to encode and reason about various sequent calculi [Miller 
and Pimentel 2010]. /iLJ has been given a game semantics [Clairambault 2009], 
and has been used in the interactive theorem prover Tac where focusing provides a 
foundation for automated (co)inductive theorem proving [Baelde et al. 2010], and 
in [Nigam 2009] to extend a logical approach to tabling [Miller and Nigam 2007] 
where focusing is used to avoid redundancies in proofs. Finally, those logics have 
also been extended with (minimal) generic quantification [Miller and Tiu 2005; 
Baelde 2008b], which fully enables reasoning in presence of variable binding, e.g., 
about operational semantics, logics or type systems. 

The rest of this paper is organized as follows. In Section 2, we introduce the 
logic, provide a few examples and study its basic proof theory. Section 3 establishes 
cut elimination for //MALL, by adapting the candidates of reducibility argument 
to obtain a proof of weak normalization. Finally, we investigate the focusing of 
/iMALL in Section 4, and present a simple application to intuitionistic logic. 

2. /iMALL 

We assume some basic knowledge of simply-typed A-calculus [Barcndrcgt 1992] 
which wc leverage as a representation framework, following Church's approach to 
syntax. This allows us to consider syntax at a high-level, modulo a/3r/-conversion. 
In this style, we write Px to denote a formula from which x has been totally 
abstracted out {x does not occur free in P). so that Pt corresponds to the sub- 
stitution of x by t, and we write Xx.P to denote a vacuous abstraction. For- 
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mulas arc objects of type o, and the syntactic variable 7 shall represent a term 
type, i.e., any simple type that does not contain o. A predicate of arity n is 
an object of type 71 — > ... — > 7 n — >• o, and a predicate operator (or simply 
operator) of first-order arity n and second-order arity m is an object of type 
t\ —>•...—>• r m — >• 71 —>...—>• 7„ — > o where the tj are predicate types of ar- 
bitrary arity. We shall see that the term language can in fact be chosen quite 
freely: for example terms might be first-order, higher-order, or even dependently 
typed, as long as equality and substitution are defined. 

We shall denote terms by s, t; formulas by P, Q; operators by A, B; term variables 
by x, y\ predicate variables by p, q; and atoms (predicate constants) by a, b. The 
syntax of fjMALL formulas is as follows: 

P ::= P®P|P©P|P 2 ?P|P&P|l|0|_L|T| a r| aH 
3~fX. Px I V 7 x. Px I s = 7 t I s t 
M7i...7„(ApAx. Ppx)t I z^ 7l ... 7 „ (XpXx. Ppx)t I pt I p t 

The quantifiers have type (7 — > o) — >• o and the equality and disequality [i.e., =/=) 
have type 7 — > 7 — > o. The connectives /i and f have type (t — > r) — >■ t where r is 
71 —►•••—>• 7„ — >■ o for some arity n > 0. We shall almost always elide the references 
to 7, assuming that they can be determined from the context when it is important 
to know their value. Formulas with top-level connective pi or v are called fixed point 
expressions and can be arbitrarily nested (such as in v(Xp. p ® n{Xq. 1 © a ® q)), 
written vp. p ® (pq. 1 © a ® q) for short) and interleaved (e.g., fip. 1 © /ig. 1 © 
p ® q). Nested fixed points correspond to iterated (co)inductive definitions while 
interleaved fixed points correspond to mutually (co)inductivc definitions, with the 
possibility of simultaneously defining an inductive and a coinductivc. 

Note that negation is not part of the syntax of our formulas, except for atoms 
and predicate variables. This is usual in classical frameworks, where negation is 
instead defined as an operation on formulas. 



Definition 2.1 Negation (P ,B). Negation is the involutive operation on formu- 
las satisfying the following equations: 
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An operator B is said to be monotonic when it does not contain any occurrence of 
a negated predicate variable. We shall write P — o Q for P 1 - ^ Q, and P 0-0 Q for 
(P^Q)k(Q^P). 



We shall assume that all predicate operators are monotonic, and do not have 
any free term variable. By doing so, we effectively exclude negated predicate vari- 
ables p 1 - from the logical syntax; they are only useful as intermediate devices when 
computing negations. 

Example 2.2. We assume a type n and two constants and s of respective types 
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n and n — > n. The operator (XpXx. x = © 3y. x — s (s y) ® p y) whose least 
fixed point describes even numbers is monotonic, but (XpXx. x = © By. x — s y ® 
(p U ~ ° 0)) is non- monotonic because of the occurrence of p^y that remains once 
the definition of — ° has been expanded and negations have been computed. 

A signature, denoted by E, is a list of distinct typed variables. We write £ h t : 7 
when t is a well- formed term of type 7 under the signature £; we shall not detail how 
this standard judgment is derived. A substitution 9 consists of a domain signature 
E, an image signature £', and a mapping from each x : 7 in £ to some term t of 
type 7 under E'. We shall denote the image signature £' by E6*. Note that we 
do not require each variable from £0 to be used in the image of E: for example, 
we do consider the substitution from E to (£,£') mapping each variable in E to its 
counterpart in the extended signature. If E \- t : 7, then tO denotes the result of 
substituting free variables in t by their image in 9, and we have £# h tO : 7. 

Our sequents have the form E; h T where the signature E denotes universally 
quantified terms 1 , and T is a multiset of formulas, i.e., expressions of type o under 
E. Here, we shall make an exception to the higher-order abstract syntax muta- 
tional convention: when we write E; h T using the metavariable E (i.e., without 
detailing the contents of the signature) we allow variables from E to occur in T. It 
is often important to distinguish different occurrences of a formula in a proof, or 
track a particular formula throughout a proof; such distinctions are required for a 
meaningful computational interpretation of cut elimination, and they also play an 
important role in our focusing mechanisms. In order to achieve this, we shall use 
the notion of location. From now on, we shall consider a formula not only as the 
structure that it denotes, namely an abstract syntax tree, but also as an address 
where this structure is located. Similarly, subformulas have their own locations, 
yielding a tree of locations and sublocations. We say that two locations are disjoint 
when they do not share any sublocation. Locations are independent of the term 
structure of formulas: all instantiations of a formula have the same location, which 
amounts to say that locations are attached to formulas abstracted over all terms. 
We shall not provide a formal definition of locations, which would be rather heavy, 
but a high-level description should give a sufficient understanding of the concept. 
A formal treatment of locations can be found in [Girard 2001], and locations can 
also be thought of as denoting nodes in proof nets or variable names in proof terms. 
Locations allow us to make a distinction between identical formulas, which have 
the same location, and isomorphic formulas which only denote the same structure. 
When we talk of the occurrences of a formula in a proof, we refer to identical formu- 
las occurring at different places in that derivation. We shall assume that formulas 
appearing in a sequent have pairwise disjoint locations. In other words, sequents 
are actually sets of formulas-with-location, which docs not exclude that a sequent 
can contain several isomorphic formulas. 

We present the inference rules for /iMALL in Figure 1. Rules which arc not 
in the identity group are called logical rules, and the only formula whose toplevcl 
connective is required for the application of a logical rule is said to be principal in 

lr Term constants and atoms are viewed as being introduced, together with their types, in an 
external, toplevel signature that is never explicitly dealt with. Predicate variables are not found 
in either of those signatures; they cannot occur free in sequents. 
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Identity group 
S;hr,P ± S;hP, A 

cut r lm t 

E; h r, A E; h P, P x 



MALL rules 

E;hr E;hT, P,Q E; h T, P E; h A, 



E;hr,± Sjl-r,?^ E;hr,A,P®Q E;hl 

E;hr,P hr,Q S;r-r, Pi 

E; h A, T T E;h T.P&Q & E; h T, P Pi ® 

First-order structure 

E, x : 7; h T, Px Ehi:7 E;hr,Pt 
E;hr,V 7 x.Px V E;h T^x.Px 3 

{ E6»; h re : 9 e csu(s = t) } 



E;|-r,s^t ' E;hi = ( 

Fixed points 

S;r-r,Sf x;h BSx, (S3)- 1 E; h T, B(fiB)t 

v 

E; h T, uBt E; h V, fiBt 



Fig. 1: Inference rules for first-order ^tMALL 



that rule application. In the 7^ rule, 9 is a substitution of domain S ranging over 
universal variables, T# is the result of applying that substitution to every term of 
every formula of T. In the v rule, which provides both induction and coinduction, 
S is called the (co)invariant, and is a closed formula of the same type as vB, of the 
form 71 7„ — >• o. We shall adopt a proof search reading of derivations: for 

instance, we call the \x rule "unfolding" rather than "folding" , and we view the rule 
whose conclusion is the conclusion of a derivation as the first rule of that derivation. 

Inference rules should be read from the locative viewpoint, which we illustrate 
with a couple of key examples. In the V and 3 rules, the premise and conclusion 
scqucnts only differ in one location: the principal location is replaced by its only 
sub-location. The premise sequents of the ^ rule are locatively identical to the 
conclusion sequent, except for the location of the principal ^ formula that has 
been removed. Similarly in the & rule, the formulas of the context Y are copied in 
the two premises, each of them occurring (identically) three times in the rule. In 
the axiom rule, the two formulas are locatively distinct but have dual structures. 
In the v rule, the formulas from the co-invariancc proofs have new locations, as 
well as the co-invariant in the main premise. This means that these locations can 
be changed at will, much like a renaming of bound variables. A greatest fixed point 
has infinitely many sublocations, regarding the coinvariants as its subformulas. In 
the fi rule, the formula B([iB)t is the only sublocation of the least fixed point. 
Distinct occurrences of fj,B in B(/j,B) (resp. vB in B(vB)) have distinct locations, 
so that the graph of locations remains a tree. It is easy to check that inference rules 
preserve the fact that sequents are made of disjoint locations. 

Note that /dVIALL is a conservative extension of MALL, meaning that a MALL 
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formula is derivable in MALL if and only if it is derivable in ^(MALL: it is easy 
to check that MALL and /iMALL have the same cut-free derivations of MALL 
formulas, and cut elimination will allow us to conclude. 

In the following, we use a couple of notational shortcuts. For conciseness, and 
when it does not create any ambiguity, we may use • to denote implicitly abstracted 
variables, e.g., P»x denotes Xy.Pyx. Similarly, we may omit abstractions, e.g., _L 
used as a coinvariant stands for Ax. _L and, when Si and £2 are predicates of the 
same type, Si ^ £2 stands for Ax. Six 2 ? S2X. Finally, we shall omit the signature 
of sequents whenever unambiguous, simply writing h T. 

2.1 Equality 

The treatment of equality dates back to [Girard 1992; Schrocdcr-Hcister 1993], 
originating from logic programming. In the disequality rule, which is a case analysis 
on all unifiers, csu stands for complete set of unifiers, that is a set S of unifiers of 
u = v such that any unifier a can be written as 9a' for 9 e S. For determinacy 
reasons, we assume a fixed mapping from unification problems to complete sets 
of unifiers, always taking {id} for csu(u = u). Similarly, we shall need a fixed 
mapping from each unifier a' G csu(u8 = v9) to a a £ csu(u = v) such that 
9a' = cr(9' for some 9' — existence is guaranteed since 9a' is a unifier of u = v. In 
the first-order case, and in general when most general unifiers exist, the csu can 
be restricted to having at most one element. But we do not rule out higher-order 
terms, for which unification is undecidable and complete sets of unifiers can be 
infinite [Huct 1975] — in implementations, we restrict to well-behaved fragments 
such as higher-order patterns [Miller 1992]. Hence, the left equality rule might be 
infinitely branching. But derivations remain inductive structures (they don't have 
infinite branches) and are handled naturally in our proofs by means of (transfinitc) 
structural induction. Again, the use of higher-order terms, and even the presence 
of the equality connectives are not essential to this work. All the results presented 
below hold in the logic without equality, and do not make much assumptions on 
the language of terms. 

It should be noted that our "free" equality is more powerful than the more usual 
Leibniz equality. Indeed, it implies the injectivity of constants: one can prove 
for example that Vx. = s x — ° since there is no unifier for = s x. This 
example also highlights that constants and universal variables are two different 
things, since only universal variables are subject to unification — which is why we 
avoid calling them eigenvariables. It is also important to stress that the disequality 
rule does not and must not embody any assumption about the signature, just like 
the universal quantifier. That rule enumerates substitutions over open terms, not 
instantiations by closed terms. Otherwise, with an empty domain we would prove 
Vx. x = x — (no possible instantiation for x) and Vx. x = x, but not (without 
cut) \/x. 0. Similarly, by considering a signature with a single constant c : T2, so 
that ri is empty while t\ — > t-i contains only Xx. c, we would indeed be able to prove 
Vx. x = x and Vx. x = x — o By. x = Xa. y but not (without cut) \/x3y. x = Xa. y. 

Example 2.3. Units can be represented by means of = and 7^. Assuming that 2 
and 3 are two distinct constants, then we have 2 = 2 0-0 1 and 2 = 3 0-0 (and 
hence 2 / 2 «> _L and 2 ^ 3 T). 
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2.2 Fixed points 

Our treatment of fixed points follows from a line of work on definitions [Girard 1992; 
Schroeder-Heister 1993; McDowell and Miller 2000; Momigliano and Tiu 2003]. In 
order to make that lineage explicit and help the understanding of our rules, let 
us consider for a moment an intuitionistic framework (linear or not). In such a 
framework, the rules associated with least fixed points can be derived from Knastcr- 
Tarski's characterization of an operator's least fixed point in complete lattices: it 
is the least of its pre-fixed points 2 . 

x; BSx h Sx S; T h B(fj,B)t 
S; fiBth- St E; T h fiBt 

As we shall see, the computational interpretation of the left rule is recursion. Obvi- 
ously, that computation cannot be performed without knowing the inductive struc- 
ture on which it iterates. In other words, a cut on St cannot be reduced until a cut 
on \xBt is performed. As a result, a more complex left introduction rule is usually 
considered (e.g., in [Momigliano and Tiu 2003]) which can be seen as embedding 
this suspended cut: 

E;T,SthP x;BSxhSx E;T h B(uB)t 

E;T,fiBt\-P E;T\-fiBt 

Notice, by the way, how the problem of suspended cuts (in the first set of rules) 
and the loss of subformula property (in the second one) relate to the arbitrariness 
of 5, or in other words the difficulty of finding an invariant for proving F, uBt h P. 

Greatest fixed points can be described similarly as the greatest of the post-fixed 
points: 

H;T,B(vB)t\-P S; T h St x; Sx h BSx 
E-r,vBt\-P Y,;T\-vBt 

Example 2.4. Let B nat be the operator (XN\x. x = ® By. x = s y <£> N y) and 
not be its least fixed point nB nat . Then the following inferences can be derived 
from the above rules: 

E;T,SthP hSO y;Sy^S(sy) S;T h nat t 

S; r, nat t\~P S;T h nat E; T h nat (s t) 

Let us now consider the translation of those rules to classical linear logic, using 
the usual reading of T h P as h T 1 ,? where (Pi, ... , Pn) 1 - is (P^, P^). It 
is easy to see that the above right introduction rule for /x (resp. v) becomes the 
fi (resp. v) rule of Figure 1, by taking r for F. Because of the duality between 
least and greatest fixed points (i.e., ([iB) = vB) the other rules collapse. The 
translation of the above left introduction rule for v corresponds to an application 
of the n rule of /iMALL on (vBt) 1 ^ = uBt. The translation of the left introduction 
rule for a is as follows: 

hT x ,S x t,P \-(BSx) x ,Sx 

2 Pre-fixcd points of <p are those x such that <j>(x) < x. 
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Without loss of generality, we can write S as S . Then (BSx) 1 - is simply BS'x 
and we obtain exactly the v rule of fiMALL on vB: 



hr- L ,S / t,P hBS'x,S r± x 
h Y^,vBt,P 

In other words, by internalizing syntactically the duality between least and great- 
est fixed points that exists in complemented lattices, we have also obtained the 
identification of induction and coinduction principles. 

Example 2.5. As expected from the intended meaning of /i and v, v(Xp.p) is 
provable (take any provable formula as the coinvariant) and its dual [i(Xp.p) is not 
provable. More precisely, ^i(Xp.p) °-o and is(Xp.p) o-o T. 

2.3 Comparison with other extensions of MALL 

The logic ^MALL extends MALL with first-order structure (V, 3, = and ^) and 
fixed points (jx and v) . A natural question is whether fixed points can be compared 
with other features that bring infinite behavior, namely exponentials and second- 
order quantification. 

In [Baclde and Miller 2007], we showed that //MALL can be encoded into full 
second-order linear logic (LL2), i.e., MALL with exponentials and second-order 
quantifiers, by using the well-known second-order encoding: 

[jj,Bt\ = VS. !(Vx. [B]Sx -o Sx) -o St 

This translation highlights the fact that fixed points combine second-order aspects 
(the introduction of an arbitrary (co)invariant) and exponentials (the iterative be- 
havior of the v rule in cut elimination). The corresponding translation of ^MALL 
derivations into LL2 is very natural — anticipating the presentation of cut elimina- 
tion for //MALL, cut reductions in the original and encoded derivations should even 
correspond quite closely. We also provided a translation from LL2 proofs of encod- 
ings to //MALL proofs, under natural constraints on second-order instantiations; 
interestingly, focusing is used to case this reverse translation. 

It is also possible to encode exponentials using fixed points, as follows: 

[IP] = n(Xp. J_© (p^p)® [P]) [IP] = [7P 1 ] 1 

This translation trivially allows to simulate the rules of weakening (W), contraction 
(C) and dereliction (D) for [?P] in /iMALL: each one is obtained by applying the 
p, rule and choosing the corresponding additive disjunct. Then, the promotion rule 
can be obtained for the dual of the encoding. Let L be a sequent containing only 
formulas of the form [?Q], and T 1 - denote the tensor of the duals of those formulas, 
we derive h L, [IP] from h T, [P] using T 1 - as a coinvariant for [IP]: 

<8>,init ^=^= ®,init 



hr.r 1 hr,r J 
nr.r.r 1 ^r 1 
FT\T w h r, r- 1 ® r 1 G h-r, [P] 

®, init 



hTXAp. lk(p®p)k[P]) v 

ACM Transactions on Computational Logic, Vol. V, No. N, December 2010. 



10 • David Baelde 

Those constructions imply that the encoding of provable statements involving ex- 
ponentials is also provable in /iMALL. But the converse is more problematic: not 
all derivations of the encoding can be translated into a derivation using exponen- 
tials. Indeed, the encoding of [IP] is an infinite tree of [P], and there is nothing 
that prevents it from containing different proofs of [P], while IP must be uniform, 
always providing the same proof of P. Finally, accordingly with these different 
meanings, cut reductions are different in the two systems. 

It seems unlikely that second-order quantification can be encoded in //MALL, 
or that fixed points could be encoded using only second-order quantifiers or only 
exponentials. In any case, if such encodings existed they would certainly be as 
shallow as the encoding of exponentials, i.e., at the level of provability, and not 
reveal a connection at the level of proofs and cut elimination like the encoding of 
fixed points in LL2. 

2.4 Basic meta-theory 

Definition 2.6. If is a term substitution, and II a derivation of E;h T, then 
we define IT0, a derivation of E#; h TO: TlQ always starts with the same rule as 
II, its premises being obtained naturally by applying 9 to the premises of II. The 
only non-trivial case is the ^ rule. Assuming that we have a derivation II where 
u 7^ v is principal, with a subderivation 11^ for each a £ csu(u = v), we build a 
subderivation of 116 for each a' 6 csu(u8 = v9). Since 9a' is a unifier for u = v, it 
can be written as o~9' for some a £ csu(u = v). Hence, T\ a 9' is a suitable derivation 
for a'. Note that some n CT might be unused in that process, if a is incompatible 
with 9, while others might be used infinitely many times 3 . 

Note that the previous definition encompasses common signature manipulations 
such as permutation and extension, since it is possible for a substitution to only 
perform a renaming, or to translate a signature to an extended one. 

We now define functoriality, a proof construction that is used to derive the fol- 
lowing rule: 



In functional programming terms, it corresponds to a map function: its type is 
(Q — ° P) — ° (BQ — o BP) (taking Q 1 ^ as Q in the above inference). Functori- 
ality is particularly useful for dealing with fixed points: it is how we propagate 
reasoning/computation underneath B [Matthes 1999]. 

Definition 2.7 Functoriality, .Fa (IT). Let IT be a proof of x; h Px, Qx and B be a 
monotonic operator such that E h B : (7 —> o) — > o. We define Fb (II) , a derivation 
of E; h BP, BQ, by induction on the maximum depth of occurrences of p in Bp: 

- When B = Xp. P' , -Fb(IT) is an instance of init on P'. 



3 Starting with a rule on x ^ y z, which admits the most general unifier [(y z)/x], and applying 
the substitution 9 = [u v/x], we obtain u v 7^ y z which has no finite csu. In such a case, the 
infinitely many subderivations of 119 would be instances of the only subderivation of EL 



x; h Px, Qx 
E; h BP,~BQ 



B 
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Otherwise, we perform an ry-expansion based on the toplevel connective of 
B and conclude by induction hypothesis. We only show half of the connectives, 
because dual connectives are treated symmetrically. There is no case for units, 
equality and disequality since they are treated as part of the vacuous abstraction 
case. 

When B = Xp. B x p ® B 2 p: 

F Bl (IL) Fb 2 (n) 



X^-JhPjhQ Z:hB 2 P,B 2 Q 
E; h BiP g B 2 P,~B\Q,~B 2 Q 
E;r- BtP ® B 2 P,B X Q^B 2 Q 

When B = Xp. B x p © B 2 p: 

Fb-l (n) f B2 (u) 



E;r-BiP,BiQ B 2 P,B 2 Q 



E; h BiP © giQ E;h giP © B 2 P,B 2 Q 
E; h B]P © B 2 P,BiQkB 2 Q 

When _B = Ap. 3a;. B'px: 

E,a;:r- B'Px,b'Qx 



E,cc;r- 3cc. B'Px 7 B'Qx 

V 



E;h 3x. B'Px,yx. B Qx 
When £? = Ap. fi(B'p)t, we show that v{B' P^) is a coinvariant of v{B'Q): 

F{\p.B'p(^(B' P))£)(II) 



aT; h (B'P)(n(B'P))x, (B / Q)(v(B , P ± ))x 
init ; — ; — ; -= — — — -= — — M 



E; h n{B'P)t, u{B'P^)t x; h n{B'P)x 7 {B'Q){v(B> F^))x 

E; h n{B'P% v{WQ)t 

Proposition 2.8 Atomic initial rule. We call atomic the init rules acting 
on atoms or fixed points. The general rule init is derivable from atomic initial 
rules. 

Proof. By induction on P. we build a derivation of h P- 1 , P using only atomic 
axioms. If P is not an atom or a fixed point expression, we perform an 77-expansion 
as in the previous definition and conclude by induction hypothesis. Note that 
although the identity on fixed points can be expanded, it can never be eliminated: 
repeated expansions do not terminate in general. □ 

The constructions used above can be used to establish the canonicity of all our 
logical connectives: if a connective is duplicated into, say, red and blue variants 
equipped with the same logical rules, then those two versions are equivalent. In- 
tuitively, it means that our connectives define a unique logical concept. This is a 
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known property of the connectives of first-order MALL, we show it for fi and its 
copy ft by using our color-blind expansion: 

init 



h B{vB)x,B{ftB)x 
init — — ft 



h 0Bt, fiBt h B{vB)x, fiBx 

=^ v 

h vBt, fiBt 

Proposition 2.9. The following inference rule is derivable: 

h T,B{vB)t 



h L, vBt 



vR 



Proof. The unfolding vR is derivable from v, using B{yB) as the coinvariant 
S. The proof of coinvariance h B(B(vB))x, B(fiB)x is obtained by functoriality 
on h B{vB)x, fiBx, itself obtained from and init. □ 

Example 2.10. In general the least fixed point entails the greatest. The following 
is a proof of fiBt — o i/Bi, showing that /if? is a coinvariant of Z/.B: 



— — — — xnxt 

h B([iB)x,B(vB)x 
init = vR 



h i/Si, ^Bi h B{fiB)x, vBx 
=^ v on vBt with := /i£? 

The greatest fixed point entails the least fixed point when the fixed points are 
noetherian, i.e., predicate operators have vacuous second-order abstractions. Fi- 
nally, the vR rule allows to derive [iBt o-o B(fiB)t, or cquivalcntly vBt o-o B(vB)t. 

2.5 Polarities of connectives 

It is common to classify inference rules between invertible and non-invcrtible ones. 
In linear logic, we can use the refined notions of positivity and negativity. A formula 
P is said to be positive (resp. Q is said to be negative) when P o-o \P (resp. Q o-o 
7Q). A logical connective is said to be positive (resp. negative) when it preserves 
positivity (resp. negativity). For example, ® is positive since P ® P' is positive 
whenever P and P' are. This notion is more semantical than invertibility, and has 
the advantage of actually saying something about non-invcrtible connectives/rules. 
Although it does not seem at first sight to be related to proof-search, positivity 
turns out to play an important role in the understanding and design of focused 
systems [Liang and Miller 2007; Laurent 2002; Laurent et al. 2005; Danos et al. 
1993; 1995]. 

Since //MALL does not have exponentials, it is not possible to talk about posi- 
tivity as defined above. Instead, we are going to take a backwards approach: wc 
shall first define which connectives are negative, and then check that the obtained 
negative formulas have a property close to the original negativity. This does not 
trivialize the question at all: it turns out that only one classification allows to de- 
rive the expected property Wc refer the interested reader to [Baelde 2008a] for the 
extension of that proof to /iLL, i.e., /iMALL with exponentials, where wc follow 
the traditional approach. 
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Definition 2.11. We classify as negative the following connectives: _L, &, 
T, V, ^, v. Their duals are called positive. A formula is said to be negative 
(resp. positive) when all of its connectives are negative (resp. positive). Finally, an 
operator XpXx.Bpx is said to be negative (resp. positive) when the formula Bpx is 
negative (resp. positive). 

Notice, for example, that XpXx.px is both positive and negative. But (ip-p is 
only positive while vp.p is only negative. Atoms (and formulas containing atoms) 
arc neither negative nor positive: indeed, they offer no structure from which the 
following fundamental property could be derived. 

Proposition 2.12. The following structural rules are admissible for any nega- 
tive formula P : 

E;hr,P,P 
£;hr,P E;h T,P W 

We can already note that this proposition could not hold if /i was negative, since 
fi(Xp.p) cannot be weakened (there is obviously no cut-free proof of h /j,(Xp.p), 1). 

Proof. We first prove the admissibility of W. This rule can be obtained by 
cutting a derivation of E; h P, 1. We show more generally that for any collection 
of negative formulas (Pj)i, there is a derivation of h (Pj)j, 1. This is done by 
induction on the total size of (-Pj)j, counting one for each connective, unit, atom 
or predicate variable but ignoring terms. The proof is trivial if the collection is 
empty. Otherwise, if Pq is a disequality we conclude by induction with one less 
formula, and the size of the others unaffected by the first-order instantiation; if it 
is T our proof is done; if it is _L then Pq disappears and we conclude by induction 
hypothesis. The 2J case is done by induction hypothesis, the resulting collection has 
one more formula but is smaller; the & makes use of two instances of the induction 
hypothesis; the V case makes use of the induction hypothesis with an extended 
signature but a smaller formula. Finally, the v case is done by applying the v rule 
with _L as the invariant: 

\-±,(Pi)i,l hB(Xx.±)x,l 
h vBt, (Pi),, 1 

The two subderivations arc obtained by induction hypothesis. For the second one 
there is only one formula, namely B(\x.A.)x, which is indeed negative (by mono- 
tonicity of B) and smaller than vB. 

We also derive contraction (C) using a cut, this time against a derivation of 
h (P 2? P) x , P. A generalization is needed for the greatest fixed point case, and we 
derive the following for any negative n-ary operator A: 

h {A{vB x ) . . . (vB n ) 2? A{vBi) . . . (yB^AivBi ^ vB x ) . . . (yB n ^ vB n ) 

We prove this by induction on A: 

4 This essential aspect of atoms makes them often less interesting or even undesirable. For example, 
in our work on minimal generic quantification [Baelde 2008b] we show and exploit the fact that 
this third quantifier can be defined in /^LJ without atoms. 
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— It is trivial if A is a discquality, T or 1. 

If A is a projection Xp. prf, we have to derive h (vBit 7 ^ vBit) 1 - , vBit 7 ^ vBit, 
which is an instance of init. 

- If A is Xp. Aip 7 ^ A 2 p, we can combine our two induction hypotheses to derive 
the following: 

h ((Ai(vB i ) l 2? Ax(yBi)i) 2? {A 2 {vB i ) i 2? A 2 (vB i ) i )) ± ,A 1 {vB i ) i 2? A 2 (vB l ) l 

We conclude by associativity-commutativity of the tensor, which amounts to use 
cut against an easily obtained derivation of h ((Pi ^ P 2 ) ^ (Pi ^ P 2 )), ((Pi 2? Pi) ^ 
(P 2 ^P 2 )) ± iovPj : Ajvl!,),. 

- If A is Xp. Aip&zA 2 p we introduce the additive conjunction and have to derive 
two similar premises: 

h ((A 1 bA i )(vB i ) i 1(A 1 kA i )(vB i ) i ) x ,A j (vB i 1vB i ) i for j e {1,2} 

To conclude by induction hypothesis, we have to choose the correct projections for 
the negated &. Since the & is under the 2?, we have to use a cut — one can derive 
in general h ((Pi & P 2 ) ^ (Pi & p.))- 1 , P, ^ P, for j G {1, 2}. 

- When A is Ap. Vx. A'px, the same scheme applies: we introduce the universal 
variable and instantiate the two existential quantifiers under the 2? thanks to a cut. 

- Finally, we treat the greatest fixed point case: A is Xp. v(A'p)t. Let B n+ \ be 
A 1 (vBi)i< n . We have to build a derivation of 

h (vB n+l fa vBn+^^iA'ivBi 2? vBi)i)i 

We use the v rule, showing that vBn+i^vBn+i is a coinvariant of v(A' (vBffivBiji) . 
The left subderivation of the v rule is thus an instance of init, and the coinvariance 
derivation is as follows: 

h (A'(vBi)i(vB n+1 )S^ A'(vB i ) i (vB n+1 )x)- L , A'(uB, 2? vBi)i(vB n+1 2? iaB„+i)x II' 

: ; Cut 

h (^B n+ ix i/B„+if) x , A'(i/Bj 2? vB l ) l (uB n+1 2? 

Here, n' derives h (vB n+ ix 2? vB n+ ix)^, A 1 (vB i ) l (vB n+1 )x A 1 (vB i ) l (vB n+ i)x, 
unfolding ^P„+i under the tensor. We complete our derivation by induction hy- 
pothesis, with the smaller operator expression A 1 and P n +i added to the (Bi)i. 
□ 

The previous property yields some interesting remarks about the expressiveness 
of //MALL. It is easy to see that provability is undecidable in //MALL, by encoding 
(terminating) executions of a Turing machine as a least fixed point. But this kind 
of observation does not say anything about what theorems can be derived, i.e., 
the complexity of reasoning/computation allowed in pMALL. Here, the negative 
structural rules derived in Proposition 2.12 come into play. Although our logic is 
linear, it enjoys those derived structural rules for a rich class of formulas: for ex- 
ample, not is positive, hence reasoning about natural numbers allows contraction 
and weakening, just like in an intuitionistic setting. Although the precise complex- 
ity of the normalization of /iMALL is unknown, we have adapted some remarks 
from [Burroni 1986; Girard 1987; Alves et al. 2006] to build an encoding of primi- 
tive recursive functions in /tMALL [Baclde 2008a] — in other words, all primitive 
recursive functions can be proved total in /xMALL. 
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2.6 Examples 

We shall now give a few theorems derivable in //MALL. Although we do not 
provide their derivations here but only brief descriptions of how to obtain them, 
we stress that all of these examples are proved naturally. The reader will note 
that although /iMALL is linear, these derivations arc intuitive and their structure 
resembles that of proofs in intuitionistic logic. We also invite the reader to check 
that the //-focusing system presented in Section 4 is a useful guide when deriving 
these examples, leaving only the important choices. It should be noted that atoms 
are not used in this section; in fact, atoms are rarely useful in //MALL, as its main 
application is to reason about (fully defined) fixed points. 

Following the definition of nat from Example 2.4, we define a few least fixed points 
expressing basic properties of natural numbers. Note that all these definitions are 
positive. 

def 

even = p,(XEXx. i = 0ffl By. x = s (s y) <S> E y) 

def 

plus = /i(XPXaXbXc. a = © b = c 

© 3a'3c'.a = s a' ® c = s d ® P a' b c') 

def 

leq = n(XLXxXy. x = y © 3y . y = s y © L x y ) 

half d = fj,(XHXxXh. (i = 0©i = sO)«/i = 

© 3x'3h'. x = s (s x') <g> h = s h! ® H x' ti) 

def 

ack = ^(XAXmXnXa. m = Q®a = sn 

© (3p. m = sp®n = 0<8)Ap(sO)a) 

© (3p3q3b. m = s p <g> n = s q © A m q b © A p b a)) 

The following statements are theorems in /tMALL. The main insights required 
for proving these theorems involve deciding which fixed point expression should be 
introduced by induction: the proper invariant is not the difficult choice here since 
the context itself is adequate in these cases. 

h V:r. not x —o even x © even (s x) 
h \fx. not x yy3z. plus x y z 
h V.t. not x —o plus x x 

h V.t. not x —o \/y. not y — o Vz. plus x y z —° not z 

In the last theorem, the assumption (not x) is not needed and can be weakened, 
thanks to Proposition 2.12. In order to prove (Wx. not x —° 3h. half x h) the context 
does not provide an invariant that is strong enough. A typical solution is to use 
complete induction, i.e., use the strengthened invariant (Xx. not x © Vy. leq y x — o 
3h. half y h). 

We do not know of any proof of totality for a non-primitive recursive function in 
/iMALL. In particular, we have no proof of ViVy. not x — ° nat y — ° 3z. ack x y z. 
The corresponding intuitionistic theorem can be proved using nested inductions, 
but it does not lead to a linear proof since it requires to contract an implication 
hypothesis (in /tMALL, the dual of an implication is a tensor, which is not negative 
and thus cannot a priori be contracted) . 

A typical example of co-induction involves the simulation relation. Assume that 
step : state — > label —> state — > o is an inductively defined relation encoding a 
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labeled transition system. Simulation can be denned using the definition 

sim = is(XSXpXq. VaVp'. step p a p' —° 3q' . step q a q' <S> S p' q'). 

Reflcxivity of simulation (Vp. sim p p) is proved easily by co-induction with the 
co-invariant (XpXq. p = q). Instances of step are not subject to induction but are 
treated "as atoms" . Proving transitivity, that is, 

VpVqVr. sim p q — o sim q r — o sim p r 

is done by co-induction on (sim p r) with the co-invariant (XpXr. 3q. sim p q ® 
sim q r). The focus is first put on (sim p q) ± , then on (sim q r) . The fixed points 
(sim p' q') and (sim q' r') appearing later in the proof are treated "as atoms", as 
are all instances of step. Notice that these two examples are also cases where the 
context gives a coinvariant. 

3. NORMALIZATION 

In [Baelde and Miller 2007], we provided an indirect proof of normalization based 
on the second-order encoding of pMALL. However, that proof relied on the nor- 
malization of second-order linear logic extended with first-order quantifiers, and 
more importantly equality, but this extension of Girard's result for propositional 
second-order linear logic is only a (mild) conjecture. Moreover, such an indirect 
proof does not provide cut reduction rules, which usually illuminate the structure 
and meaning of a logic. In this paper, we give the first direct and full proof of 
normalization for pMALL: we provide a system of reduction rules for eliminating 
cuts, and show that it is weakly normalizing by using the candidates of reducibility 
technique [Girard 1987]. Establishing strong normalization would be useful, but we 
leave it to further work. Note that the candidates of reducibility technique is quite 
modular in that respect: in fact, [Girard 1987] only provided a proof of weak nor- 
malizability together with a conjectured standardization lemma from which strong 
normalization would follow. Also note, by the way, that Girard's proof applies to 
proof nets, while we shall work directly within sequent calculus; again, the adapta- 
tion is quite simple. Finally, the candidate of reducibility is also modular in that 
it relics on a compositional interpretation of connectives, so that our normalization 
proof (unlike the earlier one) should extend easily to exponentials and second-order 
quantification using their usual interpretations. 

Our proof can be related to similar work in other settings. While it would techni- 
cally have been possible to interpret fixed points as candidates through their second- 
order encoding, we found it more appealing to directly interpret them as fixed point 
candidates. In that respect, our work can be seen as an adaptation of the ideas from 
[Mendler 1991; Matthes 1999] to the classical linear setting, where candidates of 
reducibility are more naturally expressed as bi-orthogonals. This adaptation turns 
out to work really well, and the interpretation of least fixed points as least fixed 
points on candidates yields a rather natural proof, notably proceeding by meta-level 
induction on that fixed point construction. Also related, of course, is the work on 
definitions; although we consider a linear setting and definitions have been studied 
in intuitionistic logic, we believe that our proof could be adapted, and contributes 
to the understanding of similar notions. In addition to the limitations of defini- 
tions over fixed points, the only published proof of cut elimination [Momigliano 
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and Tiu 2003; Tiu 2004] further restricts definitions to strictly positive ones, and 
limits the coinduction rule to coinvariants of smaller "level" than the considered 
coinductive object. However, those two restrictions have been removed in [Tiu and 
Momigliano 2010], which relies (like our proof) on a full candidate of reducibil- 
ity argument rather than the earlier non-parametrized reducibility, and essentially 
follows (unlike our proof) a second-order encoding of definitions. 

We now proceed with the proof, defining cut reductions and then showing their 
normalization. Instead of writing proof trees, we shall often use an informal term 
notation for proofs, when missing details can be inferred from the context. We 
notably write cu£(II; II') for a cut, and more generally cut(H; II') for the sequence of 
cuts cut(. . . cut(H; !![)...; IIJJ. We also use notations such as II ® II', fill, u(U, 0), 
etc. Although the first-order structure does not play a role in the termination and 
complexity of reductions, we decided to treat it directly in the proof, rather than 
evacuating it in a first step. We tried to keep it readable, but encourage the reader 
to translate the most technical parts for the purely propositional case in order to 
extract their core. 

3.1 Reduction rules 

Rules reduce instances of the cut rule, and are separated into auxiliary and main 
rules. Most of the rules are the same as for MALL. For readability, we do not show 
the signatures £ when they are not modified by reductions, leaving to the reader 
the simple task of inferring them. 

3.1.1 Auxiliary cases. If a subderivation does not start with a logical rule in 
which the cut formula is principal, its first rule is permuted with the cut. We only 
present the commutations for the left subderivation, the situation being perfectly 
symmetric. 

If the subderivation starts with a cut, splitting T into L',r", we reduce as 
follows: 

l-r,P- L ,Q- L h F", Q 

cut 



hr'.r.p 1 hP,A 

h F',L",A 



cut 



cut 



i-r.A.Q- 1 - h_Q,r 

hr',r",A 



cut 



Note that this reduction alone leads to cycles, hence our system is trivially not 
strongly normalizing. This is only a minor issue, which could be solved, for example, 
by using proof nets or a classical multi-cut rule (which amounts to incorporate the 
required amount of proof net flexibility into sequent calculus). 

Identity between a cut formula and a formula from the conclusion: F is re- 
stricted to the formula P and the left subderivation is an axiom. The cut is deleted 
and the right subderivation is now directly connected to the conclusion instead of 
the cut formula: 
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r init — — — 

p,p x h p, A n 

cut 



h P, A — > h P, A 

- When permuting a cut and a ®, the cut is dispatched according to the splitting 
of the cut formula. When permuting a cut and a &, the cut is duplicated. The 
rules and © are easily commuted down the cut. 

- The commutations of T and _L are simple, and there is none for 1 nor 0. 

- When V is introduced, it is permuted down and the signature of the other 
derivation is extended. The 3 rule is permuted down without any problem. 

- There is no commutation for equality (=). When a disequality (^) is per- 
muted down, the other premise is duplicated and instantiated: 



£0;r-r0,P J -0 J 



£; l~ T' , u ^ v, P E;hF,A 

H;\-T',u^v,A CUt 

i 



£0; h T'e, P x 6 £0;hP6>,A0 



E;hr',u / v, A 

— r = r' , fiBt and that least fixed point is introduced: 
hr',^)^ 1 h T',B(iiB%P^ hP,A 

/U =; cut 

h-r, \xBt,P x hP,A h T', B(fiB)t, A 
^ cut ^ A 4 

hr',/iPt,A — ► hr' ;A <pt,A 

— r = r', i/Pi and that greatest fixed point is introduced: 

hr'.gijP 1 \-_Sx\BSx 

hr'.i/Bt;? 1 hP,A 

- Cut 

h r>Bt,A 

I 

hr'^C? 1 hP,A 

^ cut 

\-T',St,A \-SS x ,BSS 

h T',vBt,A 

3.1.2 Main cases. When a logical rule is applied on the cut formula on both 
sides, one of the following reductions applies. 

In the multiplicative case, T is split into (T', T") and we cut the subformulas. 
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hr,P' \-T",P" b P'^,P"^,l 

^T',T",P'®P" ® hP'^P'^A 

h r,r",A 
I 



cut 



cut 



cut 



r-r,r",A 

In the additive case, we select the appropriate premise of &. 

br,p i-a.Pq 1 - hA^ 
h r, Pq e A @ r- a, p,^ fc p^ br,p ; ka.p/- 

hr,A cu * — > hr,A cut 

The 1/_L case reduces to the subderivation of _L. There is no case for T/0. 
In the first-order quantification case, we perform a proof instantiation: 

ii; n r 

Sjh^Pt- 1 E,a;;b Px, A II, U r [t/x] 

3 — - — — — — — - V 



E; b T, 3x. Pa; 1 - E; b Vx. Px, A E;hr,P^ E;bPi,A 

E;bT,A CUt — > E;bI\A 

- The equality case is trivial, the interesting part concerning this connective lies 
in the proof instantiations triggered by other reductions. Since we are considering 
two terms that are already equal, we have csu(u = u) = {id} and we can simply 
reduce to the subderivation corresponding to the identity substitution: 



n 



id 



E; b u = u S;ha/!i,A lb, 

cut 



E; b A — > E; b A 

- Finally in the fixed point case, we make use of the functoriality transformation 
for propagating the coinduction/recursion under B: 



E; b T, B(fiB)t E;bA,S*f x ; b Sx L , BSx 

— A* v 

E;br,^tPt Y,;\-A,vBt 

E;bT,A CU * 

F B .Mid,Q)) n{ 



9[t/x] E;b BSH,B{uB)t E;bP(>P)i,r 



n; E;b Sp-,BSt E;b ss^r 



E;bA,5f E;bSf\r 

cut 



E;bT,A 
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One-step reduction II — )• II' is denned as the congruence generated by the above 
rules. We now seek to establish that such reductions can be applied to transform 
any derivation into a cut-free one. However, since we are dealing with transfinitc 
(infinitely branching) proof objects, there are trivially derivations which cannot 
be reduced into a cut-free form in a finite number of steps. A possibility would 
be to consider transfinite reduction sequences, relying on a notion of convergence 
for defining limits. A simpler solution, enabled by the fact that our infinity only 
happens "in parallel", is to define inductively the transfinite reflexive transitive 
closure of one-step reduction. 

Definition 3.1 Reflexive transitive closure, WAT. We define inductively II — >* 3 
to hold when (1) II 3, (2) II ->•* IT and IT ^* 5, or (3) II and 3 start with 
the same rule and their premises are in relation (i.e., for some rule 1Z, II = 7\L(IIj)j, 
5 = TZ(^i)i and each Ilj — >* 3j). We say that II normalizes when there exists 
a cut-free derivation II' such that II — ^* II'. We denote by WW the set of all 
normalizing derivations. 

From (1) and (2), it follows that if II reduces to 5 in n > steps, then II — >* 5. 
From (3) it follows that II — >* II for any II. In the finitely branching case, i.e., if 
the ^ connective was removed or the system ensured finite csu, the role of (3) is 
only to ensure reflexivity. In the presence of infinitely branching rules, however, it 
also plays the important role of packaging an infinite number of reductions. In the 
finitely branching case, one can show that II — >* 3 implies that there is a finite 
reduction sequence from IT to 3 (by induction on II — 3), and so our definition of 
normalization corresponds to the usual notion of weak normalization in that case. 

Proposition 3.2. If II 5 then m 30. 

Proof. By induction on II. If the redex is not at toplevel but in an immediate 
subderivation II', then the corresponding subderivations in IK? shall be reduced. If 
the first rule of II is disequality, there may be zero, several or infinitely many sub- 
derivations of 110 of the form II'0'. Otherwise there is only one such subderivation. 
In both cases, we show H8 — >* 56* by (3), using the induction hypothesis for the 
subderivations where the redex is, and reflexivity of — >* for the others. 

If the redex is at toplevel, then 110 — >• 30. The only non-trivial cases are the two 
reductions involving ^. In the auxiliary case, we have: 

; n r ) ^ ^(cut(Uy,U r a)) a 

e e 

cui(^(n^ GcS u(„0=^);nr0) ^^(cut(W a ,-(u r ey)) al 

By Definition 2.6, IT^., = ILjCt" for 9a' = aa" , a G csu(u = v). Applying 9 
on the reduct of II, we obtain for each a' the subderivation cut(U a ; Xl r a)a" = 
cut{Xl a o"; U r aa") = c?^<(II' (7 , ; H r 9a'). In the main case, II = cut(^(Uid); u = u) — > 
Il ld and U9 = cut{^m d )-u9 = u9) -> U' ld = Ii ld 9. □ 

Proposition 3.3. If II is normalizing then so is U9. 

PROOF. Given a cut-free derivation II' such that II — >* II', we show that 116* 
II' 9 by a simple induction on II — >* II', making use of the previous proposition. □ 
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Proposition 3.4. We say that S is an Id- simplification ofH if it is obtained 
from II by reducing an arbitrary, potentially infinite number of redexes cut(Q; Id) 
into 0. // 3 is an Id- simplification of II, and II is normalizable then so is S. 

Proof. Wc show more generally that if S is a simplification of II and II — >* IT 
then S — >* S' for some simplification 5' of II'. This is easily done by induction on 
II — >* IT, once we will have established the following fact: 7/S is a simplification of 
II and II — > LT, then H — >* E' for a simplification S' ofll' . If the redex in II does not 
involve simplified cuts, the same reduction can be performed in S, and the result is 
a simplification of II' (note that this could erase or duplicate some simplifications). 
If the reduction is one of the simplications then S itself is a simplification of II'. 
If a simplified cut is permuted with another cut (simplified or not) S is also a 
simplification of II'. Finally, other auxiliary reductions on a simplified cut also 
yield rcducts of which S is already a simplification (again, simplifications may be 
erased or duplicated). □ 

3.2 Reducibility candidates 

Definition 3.5 Type. A proof of type P is a proof with a distinguished formula 
P among its conclusion sequent. We denote by I dp the axiom rule between P and 
P ± , of type P. 

In full details, a type should contain a signature under which the formula is 
closed and well typed. That extra level of information would be heavy, and no real 
difficulty lies in dealing with it, and so we prefer to leave it implicit. 

If X is a set of proofs, we shall write II : P e X as a shortcut for "II G X and II 
has type P" . We say that II and II' are compatible if their types are dual of each 
other. 

Definition 3.6 Orthogonality. For 11,11' G WAf, we say that II iL IT when for 
any 6 and 6' such that 110 and LT0' are compatible, cut{W; IL'9') G WAf. For 
n G WAf and X C WAf, n _1L X iff II _1L IT for any IT € X, and X- 1 is { II e 
WW : n X X }. Finally, for X, Y C WAf, X JL Y iff II M IT for any We X, 

it g y. 

Definition 3.7 Reducibility candidate. A reducibility candidate X is a set of nor- 
malizing proofs that is equal to its bi-orthogonal, i.e., X = X- 1 - 1 . 

That kind of construction has some well-known properties 5 , which do not rely on 
the definition of the relation JL. For any sets of normalizable derivations X and Y, 
X C Y implies T x C X x and (X U Y) x = X x C\Y ± ; moreover, the symmetry of 
JL implies that X C X , and hence X = X xxx (in other words, X 1 - is always 
a candidate). 

Reducibility candidates, ordered by inclusion, form a complete lattice: given an 
arbitrary collection of candidates S, it is easy to check that (1J'5) ±± is its least upper 
bound in the lattice, and f]S its greatest lower bound. We check the minimality of 
(US') 1 - 1 -: any upper bound Y satisfies \JS C Y, and hence (U-S)^ Q Y xx = Y. 



5 This so-called polar construction is used independently for reducibility candidates and phase 
semantics in [Girard 1987] , but also, for example, to define behaviors in ludics [Girard 2001] . 
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Concerning the greatest lower bound, the only non-trivial thing is that it is a 
candidate, but it suffices to observe that f]S = C\xesX ±1 ~ — {{JxesX ± ) ± - The 
least candidate is ±J - and the greatest is WW. Having a complete lattice, we 
can use the Knaster-Tarski theorem: any monotonic operator <j) on reducibility 
candidates admits a least fixed point lfp(0) in the lattice of candidates. 

Our definition of JL yields some basic observations about candidates. They are 
closed under substitution, i.e., II £ X implies that any 11(9 £ X. Indeed, II £ X is 
equivalent to II _1L X 1 - which implies U9 1 X 1 by definition of JL and Proposition 
3.3. Hence, Idp belongs to any candidate, since for any n £ X^, cut(Id PS ;Il9') — > 
119' £ X 1 - C WW. Candidates are also closed under expansion, i.e., W — > U and 
n £ X imply that n' £ X. Indeed, for any H £ X^, cui(II'0; 30') ->* cut{Il9;E9') 
by Proposition 3.3, and the latter derivation normalizes. 

A useful simplification follows from those properties: for a candidate X, H JL X 
if for any 9 and compatible n' £ X, cut(H9;U') normalizes — there is no need to 
explicitly consider instantiations of members of X, and since Id £ X, there is no 
need to show that n normalizes by Proposition 3.4. 

The generalization over all substitutions is the only novelty in our definitions. 
It is there to internalize the fact that proof behaviors are essentially independent 
of their first-order structure. By taking this into account from the beginning in 
the definition of orthogonality, we obtain bi-orthogonals (behaviors) that are closed 
under inessential transformations like substitution. As a result, unlike in most 
candidate of reducibility arguments, our candidates are untyped. In fact, we could 
type them up-to first-order details, i.e., restrict to sets of proofs whose types have 
the same propositional structure. Although that might look more familiar, we 
prefer to avoid those unnecessary details. 

Definition 3.8 Reducibility. Let II be a proof of h Pi, . . . , P„, and (Xj)j = x...„ a 
collection of reducibility candidates. We say that n is (Xi, . . . , X„) -reducible if for 
any 8 and any derivations (n^ : P^0 £ X^ )j=i... ra , the derivation cut(I19; !![,..., Il' n ) 
normalizes. 

From this definition, it immediately follows that if n is {X±, . . . , X n ) -reducible 
then so is H9. Also observe that Idp is (X, X- 1 )- reducible for any candidate X, 
since for any n £ X and n' £ X 1 - cut(Idpg;H,H') reduces to cut(H;H') which 
normalizes. Finally, any (X\, . . . , X n ) -reducible derivation n normalizes, by Propo- 
sition 3.4 and the fact that cut(Tl; Id, . . . , Id) normalizes. 

PROPOSITION 3.9. Let U be a proof of h Pi, . . . , P n , let (Xi) i=1 ,,, n be a family 
of candidates, and let j be an index in 1 . . . n. The two following statements are 
equivalent: (1) n is (X\, . . . , X n ) -reducible; (2) for any 9 and (n' ; : Pi9^ £ X^)^, 

cut{m- (n^ex,-. 

Proof. (1) (2): Given such 9 and (Tl'^i-tj, we show that the derivation 
cut(H9; (nQj^y) £ Xj. Since Xj = Xj, it is equivalent to show that our derivation 
is in the orthogonal of Xj-. For each a and n" : PjOcr^- £ Xj-, we have to show 
that cut(cut{Y\9; (Yl' i )i^j)a; H") normalizes. Using cut permutation reductions, we 
reduce it into cut(H9a; n^er, . . . , n", . . . , Tl' n a), which normalizes by reducibility of 
n. (2) => (1) is similar: we have to show that cut(IL6;IL[, . . . H' n ) normalizes, we 
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reduce it into cut(cut(H9; (IlQj^y); 11^) which normalizes since H'j G Xj- and the 
left subderivation belongs to Xj by hypothesis. □ 

3.3 Interpretation 

We interpret formulas as reducibility candidates, extending Girard's interpretation 
of MALL connectives [Girard 1987]. 

Definition 3.10 Interpretation. Let P be a formula and £ an environment map- 
ping each n-ary predicate variable p occurring in P to a candidate. We define by 
induction on P a candidate called interpretation of P under £ and denoted by [P] . 

[ptf = £(p) [auf = { ha ^, a y } X± [Of = ±x [1} £ = { FT }^ 

n n' 



[P®Pf = { hA,Q hA'.Q' 

hA,A',Q®Q' : II : Q G [P] E ,W : Q' G [P'f 



n 



[P> © Pif = { h A 'Q» 

-A,g ®Qi : i 6 {0,1}, II: g, G [P} £ 



n 



[3a?. Px] £ = { \-T,Qt 

- T, 3a;. Qx : U : Q< G [Pi] 4 



if 



1" = «J = | h t = i J- 

[ M Pif = lfp(X i-> { fill : n : B{fiB)t' G [Bpf\ £ ^ x } xx ) 
[P] £ = ([P- 1 ] 5 )" 1 for all other cases 

The validity of that definition relies on a few observations. It is easy to check 
that we do only form (bi-)orthogonals of sets of proofs that are normalizing. More 
importantly, the existence of least fixed point candidates relies on the monotonic- 
ity of interpretations, inherited from that of operators. More generally, [P] £ is 
monotonic in £{p) if p occurs only positively in P, and antimonotonic in £ (p) if p 
occurs only negatively. The two statements are proved simultaneously, following 
the definition by induction on P. Except for the least fixed point case, it is trivial 
to check that (anti)monotonicity is preserved by the first clauses of Definition 3.10, 
and in the case of the last clause [P] £ = ([P ± ] £ ) ± each of our two statements 
is derived from the other. Let us now consider the definition of [jiBt\ £ , written 
lfp(0£ ) for short. First, the construction is well-defined: by induction hypothesis 
and monotonicity of B, [BqP\ £ ' q ^ x is monotonic in X, and hence 4>s is also mono- 
tonic and admits a least fixed point. We then show that lfp(c/>£) is monotonic in 
£{p) when p occurs only positively in B — antimonotonicity would be obtained 
in a symmetric way. If £ and £' differ only on p and £{p) C £'(p), we obtain by 
induction hypothesis that <pg(X) C (f>£/(X) for any candidate X, and in particular 

<fe(lfp(0£')) ^ <f>e'Qfp(<j>S')) = upOfe'); *- e -' Up(<rV) is a prefixed point of <j> e , and 
thus lfp(0f) C lfp((/>£/), that is to say [iJ,Bt\ £ is monotonic in £{p). 

PROPOSITION 3.11. For any P and£, ([P] £ ) x = [P^Y ■ 
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PROPOSITION 3.12. For any P, 6 and £, [P} £ = [P6} £ . 

Proposition 3.13. For any £, monotonia B and S, [BS} £ = [Bp] e >P^W . 

Those three propositions are easy to prove, the first one immediately following 
from Definition 3.10 by involutivity of both negations (on formulas and on candi- 
dates), the other two by induction (respectively on P and B). Proposition 3.12 has 
an important consequence: II G [P] implies 118 G [P0], i.e., our interpretation is 
independent of first-order aspects. This explains some probably surprising parts of 
the definition such as the interpretation of least fixed points, where it seems that 
we are not allowing the parameter of the fixed point to change from one instance 
to its recursive occurrences. 

In the following, when the term structure is irrelevant or confusing, we shall write 
[S] £ for [Si\ £ . For a predicate operator expression (Xp. Bp) of first-order arity 0, 
we shall write [B} £ for X i— > [Bp\ £ ^ Pi '^ Xi ' >i . When even more concision is desirable, 
we may also write for [B} £ X. Finally, we simply write [P] and [B] when £ 

is empty. 

Lemma 3.14. Let X and Y be two reducibility candidates, and II be a proof of 
h Px,Qx that is (X,Y) -reducible. Then .Fg (II) is ([B]X, [B]Y) -reducible. 

Lemma 3.15. Let X be a candidate and O a derivation of h Sx^jBSx that is 
(X- 1 -, [B]X) -reducible. Then v{Ld S £, 0) is {X 1 - , [v Bt\) -reducible for any t. 

Proof of Lemmas 3.14 and 3.15. We prove them simultaneously, generalized 
as follows for any monotonic operator B of second-order arity n + 1, and any 
predicates A and candidates Z: 

(1) For any {X, Y>reducible II, F b1 {II) is ([B]ZX, [B]i ± y)-reducible. 

(2) For any (X^, [B}Z ^-reducible 9, v{Id s & 0) is (X x , (I? Z^)*]) -reducible. 

We proceed by induction on B: we first establish (1), relying on strictly smaller 
instances of both (1) and (2); then we prove (2) by relying on (1) for the same B 
(modulo size-preserving first-order details). The purpose of the generalization is to 
separate the main part of B from auxiliary parts A, which may be large and whose 
interpretations Z may depend on X and Y, but play a trivial role. 

(1) If B is of the form (XpXq. B'p), then F B AH) is simply Id B ,^, which is trivially 
([B'Z], [B 7 ^]) -reducible since [WZ^ = [B'Z^. If B is of the form (XpXq. qt), 
then F bA (I\) is IL[t/x\ which is (X, F)-reduciblc. 

Otherwise, B starts with a logical connective. Following the definition of Fb, 
dual connectives are treated in a symmetric way. The tensor case essentially 
consists in showing that if IT h P', Q' is ([P'], [Q'])-rcduciblc and II" h P", Q" 
is {[P"\, [Q"])-rcduciblc then the following derivation is {[P 1 ® P"], [Q' Q"])- 
reducible: 

n' n" 

^P',Q' hP",Q" 
h P' ®P",Q',Q" 
hP' <S)P",Q'^Q" 79 
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The subderivation IT ® n" is ([P' <g> P"], [Q 1 ], [Q"])-reducible: By Proposi- 
tion 3.9 it suffices to show that for any 9 and compatible H' G [Q'\ and E" G 
[Q"]- 1 , cut(II0; E', E") belongs to [P 1 ® P"]. This follows from: the fact that 
it reduces to cut(IL'6;'E') ® cui(II"0;E"); that those two conjuncts are respec- 
tively in [P'\ and [P"\ by hypothesis; and that { u <8> v : u G [P'],v G [P"\ } 
is a subset of [P' <g> P"] by definition of the interpretation. 

- We then prove that the full derivation, instantiated by 9 and cut against 
any compatible E G [P 1 <E> P"]' L , is in [Q 1 ^ Q"]. Since the interpretation of 
2? is { u <g> u : u G [Q'^v G [Q"] 1 - } x , it suffices to show that ^((^(IT ® 
n"))^; S) normalizes (which follows from the reducibility of LT ® If") and 
that for any substitutions a and a', cut((^(H' (g) H"))9;E)a normalizes when 
cut against any such compatible (u ® v)cr' . Indeed, that cut reduces, using 
cut permutations and the main multiplicative reduction, into cut(cut((H' <g) 
YL")9<t; S<t); ucr' , va') which normalizes by reducibility of IT ® If". 

The additive case follows the same outline. There is no case for units, including 
= and 7^, since they are treated with all formulas where p does not occur. 
In the case of first-order quantifiers, say B = XpXq. 3x. B'pqx, we essentially 
have to show that, assuming that ft is ([Px], [Qx]) -reducible, the following 
derivation is ([3x. Px], [Vx. Qx])-reducible: 

n 

x~, I Px, Qx 
£, x; h 3x. Px, Qx 
3x. Px,\/x. Qx 

- We first establish that the immediate subderivation 3(11) is reducible, by 
considering cut(3(U)9; S) for any 9 and compatible S G [Qx] 1 -. We reduce that 
derivation into 3{cut(JI9; S)) and conclude by definition of [3x. Px] and the 
fact that cut(Ii9;E) G [Px]. 

- To prove that V(3(II)) is reducible, we show that cut(V(3(IL))0; S) belongs 
to [Vx. Qx] for any 9 and compatible S G [3x. Px] -1 . Since [Vx. Qx] = { 3S' : 
S' G [Qf]^ }^, this amounts to show that our derivation normalizes (which 
follows from the reducibility of 3(11)) and that cut(cut(V(3(IL))6; E)a; (3E')cr') 
normalizes for any a, a' and compatible S' G [Qt] . Indeed, this derivation 
reduces, by permuting the cuts and performing the main V/3 reduction, into 
cut{3(Ii)9a\ta' /x\; E'er', Her), which normalizes by reducibility of 3(11). 
Finally, we show the fixed point case in full details since this is where the 
generalization is really useful. When B is of the form XpXq. [i(B'pq)t, we are 
considering the following derivation: 

h P'lP(/i(P'lP))x,P 7 i' ± Q(^(P 7 A ± P- L ))x 

h ii{B'AP)t, v(WA- L P ± )t h fj,(B' AP)x,B~' 'A^Q{v{B' 'A^P^))x 

= v 

h n(B'AP)t, v{B'A^Q)t 

We apply induction hypothesis (I) on B" := (XpXp n +iXq. B'pqp n+ ix), with 
A n+ i := fi(B'AP) and Z n+ i := [/.i(B' ZX)], obtaining that the subderiva- 
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tion F..(n) is ([B"]ZZ n+1 X,[B"]Z ± Z^ +1 Y)-rcducible. Then, we establish 
that n(F ...(n)) is reducible: for any 9 and compatible 3 6 [B"]ZZ n+ iY , 
cut(n(F...(n))0;Z) reduces to fj,(cut(F„(n)0;S)) which belongs to [^(B'ZX)x] = 
{ /j,W : IT e [B'ZX{ji{B'ZX))x] } ±J - by reducibility of We finally 

obtain the reducibility of the whole derivation by applying induction hypothesis 
(2) on B' with A n+1 := Q ± , Z n+1 := Y 1 - and X := [fx(B'ZX)x\ ± . 

(2) Here we have to show that for any 9 and any compatible 3 G X 1 the derivation 
cut(v(Id S £, 0)(9; S) belongs to [n{B Z)^ 1 - . Since only t is affected by 9 in such 
derivations, we generalize on it directly, and consider the following set: 

Y := { cut(u(Id si! ,Q); 3) : S^fel] 1 

Note that we can form the orthogonal to obtain Y, since we are indeed con- 
sidering a subset of WW: any cut(u(Id; O); 3) reduces to i/(S; 0), and H and 
normalize. We shall establish that Y is a pre-fixed point of the operator 
4> such that [fi(BZ)t\ has been defined as lfp(</>), from which it follows that 
[fj,(BZ)t\ C y, which entails our goal — note that this is essentially a proof by 
induction on \p(BZ)]. 
So we prove the pre-fixed point property: 

{ fjli : II : BA{^{BA))t 7 ' e [BZYt?] C F 

Observing that, for any A, B C WW, we have A" 1 - 1 C B 1 - A- 1 - 1 JL i? 
£? C A <=> £> JL A, our property can be rephrased equivalently: 

{ cut(v(Id st -,,e); 3) : 3 : Si 7 G X } JL { /ill : IT G [BZY?] } 

Since both sides are stable by substitution, there is no need to consider compati- 
bility substitutions here, and it suffices to consider cuts between any compatible 
left and right-hand side derivations: cut(cut(i>(Id, 0); 5); /ill). It reduces, using 
cut exchange, the main fixed point reduction and finally the identity reduction, 
into: 

F B A.t>Wd SSl Q)) n 



e[t'/x\ h BAS ± t',BA ± (u(BA J -))t' h BA(fi(BA))f,A 

cut 



E \~ S- L t',BA ± St' h BASH', A 
- - cut 

hr,s*i' h-s^A 
Fr\A cut 

By hypothesis, 3 G X , IT G [BZW] and Q[t'/x\ is (X- 1 , [l?Z x X?])-reducible. 
Moreover, v(Idsx,Q) is (X , Y )-reducible by definition of Y, and thus, by 
applying (1) on the operator XpXq. Bpqt' , which has the same size as -B, we 
obtain that F BXt p{v{Id s3 ,Q)) is ([BZX ± t ! ], [f?i x Y x f 7 ]) -reducible 6 . We can 
finally compose all that to conclude that our derivation normalizes. 



□ 



6 This use of (1) involving Y is the reason why our two lemmas need to deal with arbitrary 
candidates and not only interpretations of formulas. 
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3.4 Normalization 

Lemma 3.16. Any proof of h Pi, . . . , P n is ([Pi], . . . , [P n ]) -reducible. 

Proof. By induction on the height of the derivation II, with a case analysis on 
the first rule. We are establishing that for any 8 and compatible (7,; G [Pi] ± )i=i... n , 
cutilid;^) normalizes. If IL9 is an axiom on P = P\8 = P^8, the cut against a 
proof of [P] and a proof of [P] ± reduces into a cut between those two proofs, which 
normalizes. If 110 = cut(Xl'9; H"8) is a cut on the formula P, cut(H6; 7) reduces to 
cut(cut(H'8; 7'); cut(W8; 7")) and the two subderivations belong to dual candidates 
[P] and [P] by induction hypothesis and Proposition 3.9. 

Otherwise, II starts with a rule from the logical group, the end sequent is of the 
form h r, P where P is the principal formula, and we shall prove that cut(H8; 7) G 
[P] when 7 is taken in the duals of the interpretations of T8, which allows to 
conclude again using Proposition 3.9. 

- The rules 1, ®, ©, 3, = and /x are treated similarly, the result coming directly 
from the definition of the interpretation. 

Let us consider, for example, the fixed point case: II = fill'. By induction hy- 
pothesis, cut(IL'8;j) G [B((iB% By definition, [fxBt\ = lfp(0) = </>(lfp(</0) = X ±JL 
where X := { fiE : 5 G [B»t\\pB] }. Since [B(fiB)t\ = [B»t\\pB], we obtain that 
/i(cut(H'8; 7)) G X and thus also in X ±J ~. Hence cut(Il8;j), which reduces to the 
former, is also in \jiBz\. 

- The rules _L, ^, T, &, V, 7^, and v are treated similarly: we establish that 
cut(nd; 7) JL X for some X such that [P] = X . First, we have to show that our 
derivation normalizes, which comes by permuting up the cuts, and concluding by 
induction hypothesis — this requires that after the permutation the derivations 7 
are still in the right candidates, which relies on closure under substitution and hence 
signature extension for the case of disequality and V. Then we have to show that 
for any a and a' , and any compatible 3 G X, the derivation cut(cut(J19; 7)cr; Ser') 
normalizes too. We detail this last step for two key cases. 

In the V case we have [Vx. Px] = { 3H' : 5' G [Pt ) } , so we consider 
cut(cut((\fW)e;j)a;(3E')a'), which reduces to cut(IL'6[t/x]; ^a,Ea'). This nor- 
malizes by induction hypothesis on n'[f/x], which remains smaller than n. 
The case of v is the most complex, but is similar to the argument developed for 
Lemma 3.15. If n is of the form i/(n',0) and P = vBt then cut(H;j)9 has type 
vBu for u := tO. Since [vBu] = { /xS : 2 G [Buu] [/J.B] j^, we show that for any 
a, a 1 and compatible S G [B(fiB)u\, the derivation cut (cut (v (II' , 0)8; 7)17; (fjS)a') 
normalizes. Let v be ua, the derivation reduces to: 

cut(cut(n'8a; 7V); cut(Q[v / x]; cut(F Bt , g (v(Id, 9)); Scr'))) 

By induction hypothesis, cut(U'8o-;j<j) G [Sv\, and Q is ([S'a;]^, [B5a;])-reducible. 
By Lemmas 3.14 and 3T5 we obtain that F E .#(i>(Id, 0)) is ([BS ± v\, [B(uB)v])- 
rcducible. Finally, 3 G [B(/.iB)v\. We conclude by composing all these reducibilitics 
using Proposition 3.9. 
□ 

Theorem 3.17 Cut elimination. Any derivation can be reduced into a cut- 
free derivation. 
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Proof. By Lemma 3.16, any derivation is reducible, and hence normalizes. □ 

The usual immediate corollary of the cut elimination result is that //MALL is 
consistent, since there is obviously no cut-free derivation of the empty sequent. 
However, note that unlike in simpler logics, cut-free derivations do not enjoy the 
subformula property, because of the \x and v rules. While it is easy to characterize 
the new formulas that can arise from fi, nothing really useful can be said for v, for 
which no non-trivial restriction is known. Hence, /iMALL only enjoys restricted 
forms of the subformula property, applying only to (parts of) derivations that do 
not involve coinductions. 

4. FOCUSING 

In [Andreoli 1992], Andreoli identified some important structures in linear logic, 
which led to the design of his focused proof system. This complete proof system 
for (second-order) linear logic structures proofs in stripes of asynchronous and 
synchronous rules. Choices in the order of application of asynchronous rules do not 
matter, so that the real non-determinism lies in the synchronous phase. However, 
the focused system tames this non-determinism by forcing to hereditarily chain 
these choices: once the focus is set on a synchronous formula, it remains on its 
subformulas as its connectives are introduced, and so on, to be released only on 
asynchronous subformulas. We refer the reader to [Andreoli 1992] for a complete 
description of that system, but note that Figure 2, without the fixed point rules, 
can be used as a fairly good reminder: it follows the exact same structure, only 
missing the rules for exponentials. 

Focusing /tMALL can be approached simply by reading the focusing of second- 
order linear logic through the encoding of fixed points. But this naive approach 
yields a poorly structured system. Let us recall the second-order encoding of /iBt: 

VS*. !(V£. BSx -o Sx) -o St 

This formula starts with a layer of asynchronous connectives: V, — ° and ?, the dual 
of !. Once the asynchronous layer has been processed, the second-order cigenvari- 
able S represents y,B and one obtains unfoldings of S into BS by focusing on the 
pre-fixed point hypothesis. Through that encoding, one would thus obtain a system 
where several unfoldings necessarily require several phase alternations. This is not 
satisfying: the game-based reading of focusing identifies fully synchronous (posi- 
tive) formulas with data types, which should be built in one step by the player, i.e., 
in one synchronous phase. In /tMALL, least fixed points over fully synchronous op- 
erators should be seen as data types. That intuition, visible in previous examples, 
is also justified by the classification of connectives in Definition 2.11, and is indeed 
accounted for in the focused system presented in Figure 2. 

It is commonly believed that asynchrony corresponds to invertibility. The two 
notions do coincide in many cases but it should not be taken too seriously, since 
this does not explain, for example, the treatment of exponentials, or the fact that 
init has to be synchronous while it is trivially invertiblc. In the particular case 
of fixed points, invertibility is of no help in designing a complete focused proof 
system. Both fi and v are invertible (in the case of v, this is obtained by using the 
unfolding coinvariant) but this does not capture the essential aspect of fixed points, 
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that is their infinite behavior. As a result, a system requiring that the /i rule is 
applied whenever possible would not be complete, notably failing on h T ® 1, i^p.p 
or h not x — o not x. As we shall see, the key to obtaining focused systems is to 
consider the permutability of asynchronous rules, rather than their invertibility, as 
the fundamental guiding principle. 

We first design the fi- focused system in Section 4.1, treating /i synchronously, 
which is satisfying for several reasons starting with its positive nature. We show in 
Section 4.2 that it is also possible to consider a focused system for //MALL where 
v is treated synchronously. In Section 4.3, we apply the /i-focuscd system to a 
fragment of /iLJ. 

4.1 A complete /i-focused calculus 

In this section, we call asynchronous (resp. synchronous) the negative (resp. pos- 
itive) connectives of Definition 2.11 and the formulas whose top-level connective 
is asynchronous (resp. synchronous). Moreover, we classify non-negated atoms as 
synchronous and negated ones as asynchronous. As with Andreoli's original sys- 
tem, this latter choice is arbitrary and can easily be changed for a case-by-case 
assignment [Miller and Saurin 2007; Chaudhuri et al. 2008]. 

We present the system in Figure 2 as a good candidate for a focused proof system 
for //MALL. In addition to asynchronous and synchronous formulas as defined 
above, focused sequents can contain frozen formulas P* where P is an asynchronous 
atom or fixed point. Frozen formulas may only be found at toplevel in sequents. We 
use explicit annotations of the sequents in the style of Andreoli: in the synchronous 
phase, sequents have the form h Y J| P; in the asynchronous phase, they have the 
form h T fr A. In both cases, T and A are sets of formulas of disjoint locations, 
and L is a multiset of synchronous or frozen formulas. The convention on A is 
a slight departure from Andreoli's original proof system where A is a list: we 
shall emphasize the irrelevance of the order of asynchronous rules without forcing 
a particular, arbitrary ordering. Although we use an explicit freezing annotation, 
our treatment of atoms is really the same one as Andreoli's; the notion of freezing 
is introduced here as a technical device for dealing precisely with fixed points, and 
we also use it for atoms for a more uniform presentation. 

The //-focused system extends the usual focused system for MALL. The rules for 
equality are not surprising, the main novelty here is the treatment of fixed points. 
Each of the fixed point connectives has two rules in the focused system: one treats 
it "as an atom" and the other one as an expression with internal logical structure. 
In accordance with Definition 2.11, // is treated during the synchronous phase and 
v during the asynchronous phase. 

Roughly, what the focused system implies is that if a proof involving a v- 
expression proceeds by coinduction on it, then this coinduction can be done at 
the beginning; otherwise that formula can be ignored in the whole derivation, ex- 
cept for the init rule. The latter case is expressed by the rule which moves the 
greatest fixed point to the left zone, freezing it. Focusing on a /i-expression yields 
two choices: unfolding or applying the initial rule for fixed points. If the considered 
operator is fully synchronous, the focus will never be lost. For example, if not 
is the (fully synchronous) expression /iN.Xx. x = © By. x = s y ® TV y, then 
focusing puts a lot of structure on a proof of h L Jj. not t: either t is a closed term 

ACM Transactions on Computational Logic, Vol. V, No. N, December 2010. 



30 • David Baelde 



Asynchronous phase 

h r ft p, Q, A hr-fi-p.A hrtQ.A j~ r . ( a± t)* ft A 



hF ft P^Q,A hTfP&Q.A hr-fl-a-L^A 

h r t a {h re f Ae e <= csu(s = t)} 

hrfl,A h r ft T, A hFfts^t, A 

hrf Pc, a 

h r t Vz.Px, A 

h T ft St, A \-ft BSx, Sx x h T, (uBt)* ft A 
\-Vft vBt, A \-Fft uBt, A 

Synchronous phase 
\-FftP hT'ftQ hFftPi 



\-T,T' ft P (g> Q h T ft P ffi Pi h (a x t)* JJ at* 



NJ. 1 r-4- t = t 
hT4J.Pt 

h r jj 3z.Px 
r jj. B{[iB)t 



h T JJ jiiSt h (i/Bt)* JJ iiBt 
Switching rules (where P is synchronous, Q asynchronous) 

hr.p^A hrjjp \-rftQ 
h r t p a h r,p ff h r jj q 

Fig. 2: The /i-focused proof-system for /xMALL 

representing a natural number and T is empty, or t = s n t' for some n > and T 
only contains (nat i') . 

We shall now establish the completeness of our focused proof system: If the 
unfocused sequent h V is provable then so is Hff T, and the order of application of 
asynchronous rules does not affect provability. From the perspective of proofs rather 
than provability, we are actually going to provide transformations from unfocused 
to focused derivations (and back) which can reorder asynchronous rules arbitrarily. 
However, this result cannot hold without a simple condition avoiding pathological 
uses of infinite branching, as illustrated with the following counter-example. The 
unification problem s (/ 0) = / (s 0), where s and are constants, has infinitely 
many solutions [(Ace. s n x)/f]. Using this, we build a derivation ±I W with infinitely 
many branches, each Ii n unfolding a greatest fixed point n times: 

h vp.p, T h pLp.p, vp.p 
T-r def — — T „ def j- — V 

n = V vp.p, T II n+ i = h vp.p, T 

n ni ... n„ ... 

= f f;^s (fO)^f (sO),vp.p,T * 
Although this proof happens to be already in a focused form, in the sense that 
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focusing annotations can be added in a straightforward way, the focused transfor- 
mation must also provide a way to change the order of application of asynchronous 
rules. In particular it must allow to permute down the introduction of the first 
vp.p. The only reasonable way to do so is as follows, expanding IIo into IIi and 
then pulling down the v rule from each subderivation, changing II n +i into n n : 



/; r- s (f 0) ^ f (s 0), vp.p, T h np.p, vp.p 
n„ - /;hs(/0)^/( S 0), W ,T 

This leads to a focusing transformation that may not terminate. The fundamental 
problem here is that although each additive branch only finitely explores the asyn- 
chronous formula vp.p, the overall use is infinite. A solution would be to admit 
infinitely deep derivations, with which such infinite balancing process may have 
a limit. But our goal here is to develop finite proof representations (this is the 
whole point of (co)induction rules) so we take an opposite approach and require a 
minimum amount of finiteness in our proofs. 

Definition 4.1 Quasi-finite derivation. A derivation is said to be quasi-finite if it 
is cut-free, has a finite height and only uses a finite number of different coinvariants. 

This condition may seem unfortunate, but it appears to be essential when dealing 
with transfinitc proof systems involving fixed points. More precisely, it is related to 
the choice regarding the introduction of asynchronous fixed points, be they greatest 
fixed points in /^-focusing or least fixed points in ^-focusing. Note that quasi- 
finitcness is trivially satisfied for any cut-free derivation that is finitely branching, 
and that any derivation which does not involve the ^ rule can be normalized into a 
quasi-finite one. Moreover, quasi-finiteness is a natural condition from a practical 
perspective, for example in the context of automated or interactive theorem proving, 
where ^ is restricted to finitely branching instances anyway. However, it would be 
desirable to refine the notion of quasi-finite derivation in a way that allows cuts 
and is preserved by cut elimination, so that quasi-finite proofs could be considered 
a proper proof fragment. Indeed, the essential idea behind quasi-finiteness is that 
only a finite number of locations arc explored in a proof, and the cut-free condition 
is only added because cut reductions do not obviously preserve this. We conjecture 
that a proper, self-contained notion of quasi-finite derivation can be attained, but 
leave this technical development to further work. 

The core of the completeness proof follows [Miller and Saurin 2007] . This proof 
technique proceeds by transforming standard derivations into a form where focused 
annotations can be added to obtain a focused derivation. Conceptually, focused 
proofs are simply special cases of standard proofs, the annotated sequents of the 
focused proof system being a concise way of describing their shape. The proof 
transformation proceeds by iterating two lemmas which perform rule permutations: 
the first lemma expresses that asynchronous rules can always be applied first, while 
the second one expresses that synchronous rules can be applied in a hereditary 
fashion once the focus has been chosen. The key ingredient of [Miller and Saurin 
2007] is the notion of focalization graph, analyzing dependencies in a proof and 
showing that there is always at least one possible focus. 
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In order to ease the proof, we shall consider an intermediate proof system whose 
rules enjoy a one-to-one correspondence with the focused rules. This involves get- 
ting rid of the cut, non-atomic axioms, and also explicitly performing freezing. 

Definition 4.2 Freezing- annotated derivation. The freezing-annotated variant of 
/iMALL is obtained by removing the cut rule, enriching the sequent structure with 
an annotation for frozen fixed points or atoms, restricting the initial rule to be 
applied only on frozen asynchronous formulas, and adding explicit annotation rules: 

h r, (vBtf h r, (a- 1 *)* 

h (a ±: t)*,at h (v~Bi)*,nBt h T, vBt h T, a ± t 

Atomic instances of init can be translated into freezing-annotated derivations: 

h (vBt) * , [Hit h (a 1 - 1) * , at 

h vBt, fiBt — > h vBt, fiBt h a x t, at — ► h a^t, at 

Arbitrary instances of init can also be obtained by first expanding them to rely only 
on atomic init, using Proposition 2.8, and then translating atomic init as shown 
above. We shall denote by init* this derived generalized axiom. Any ^MALL 
derivation can be transformed into a freezing-annotated one by normalizing it and 
translating init into init*. 

The asynchronous freezing-annotated rules (that is, those whose principal for- 
mula is asynchronous) correspond naturally to asynchronous rules of the /x-focused 
system. Similarly, synchronous freezing-annotated rules correspond to synchronous 
focused rules, which includes the axiom rule. The switching rules of the ^-focused 
system do not have a freezing-annotated equivalent: they are just book-keeping 
devices marking phase transitions. 

From now on we shall work on freezing-annotated derivations, simply calling 
them derivations. 

4.1.1 Balanced derivations. In order to ensure that the focalization process ter- 
minates, we have to guarantee that the permutation steps preserve some measure 
over derivations. The main problem here comes from the treatment of fixed points, 
and more precisely from the fact that there is a choice in the asynchronous phase 
regarding greatest fixed points. We must ensure that a given greatest fixed point 
formula is always used in the same way in all additive branches of a proof: if a 
greatest fixed point is copied by an additive conjunction or ^, then it should cither 
be used for coinduction in all branches, or frozen and used for axiom in all branches. 
Otherwise it would not be possible to permute the treatment of the v under that 
of the & or 7^ while controlling the size of the transformed derivation. 

Definition 4.3 Balanced derivation. A greatest fixed point occurrence is used in 
a balanced way if all of its principal occurrences are used consistently: cither they 
are all frozen or they are all used for coinduction, with the same coinvariant. We 
say that a derivation is balanced if it is quasi-finite and all greatest fixed points 
occurring in it are used in a balanced way. 

Lemma 4.4. If Sq and S\ are both coinvariants for B then so is So © S\. 
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Proof. Let IL be the derivation of coinvariance for Si- The proof of coinvariance 
of 5*0 © Si is as follows: 

<Mn ) 0i (no 



h S^x, B(S © Si)x h S£2, B{S © 5i)f 

The transformed derivations ^ (Ilj ) are obtained by functoriality: 

1 init 

h Sj y, Sky 

Hi h S^y, S y (B Siy 



h S^x, h BS^f, B(5 © Si)x 

4>i(^i)= h S^x,B(S (BSi)x CUt 

Notice that after the elimination of cuts, the proof of coinvariance that we built can 
be larger than the original ones: this is why this transformation cannot be done as 
part of the rule permutation process. □ 

Lemma 4.5. Any quasi-finite derivation of h L can be transformed into a bal- 
anced derivation of h L. 

Proof. We first ensure that all coinvariants used for the same (locatively identi- 
cal) greatest fixed point are the same. For each vB on which at least one coinduction 
is performed in the proof, this is achieved by taking the union of all coinvariants 
used in the derivation, thanks to Lemma 4.4, adding to this union the unfolding 
coinvariant B(vB). Note that quasi-finiteness is needed here to ensure that we are 
only combining finitely many coinvariants. Let S u b be the resulting coinvariant, of 
the form 5*0 © . . . © S n © B{vB), and 0„b be the proof of its coinvariance. We 
adapt our derivation by changing every instance of the v rule as follows: 



e . \-v,Sjt 



hT,Sit hS±x,BSiX \-T,S vB t \-S^ B x,BS l 



, B x 



\-T,vBt — > hT,vBt 

It remains to ensure that a given fixed point is either always coinducted on or 
always frozen in the derivation. We shall balance greatest fixed points, starting with 
unbalanced fixed points closest to the root, and potentially unbalancing deeper fixed 
points in that process, but without ever introducing unbalanced fixed points that 
were not initially occurring in the proof. 

Let no be the derivation obtained at this point. We define the degree of a 
greatest fixed point to be the maximum distance in the sublocation ordering to a 
greatest fixed point sublocation occurring in ITo, if there is none. Quasi-finiteness 
ensures that degrees are finite, since there are only finitely many locations occurring 
at toplevel in the sequcnts of a quasi-finite derivation. We shall only consider 
derivations in which greatest fixed points that are coinducted on are also coinducted 
on with the same coinvariant in IIo, and maintain this condition while transforming 
any such derivation into a balanced one. We proceed by induction on the multiset of 
the degrees of unbalanced fixed points in the derivation, ordered using the standard 
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multiset ordering — note that degrees are well defined for all unbalanced fixed 
points since they must also occur in ITo. If there is no unbalanced fixed point, 
we have a balanced proof. Otherwise, pick an unbalanced fixed point of maximal 
degree. It is frozen in some branches and coinducted on in others. We remove all 
applications of freezing on that fixed point, which requires to adapt axioms 7 : 

h B(vB)t,B(nB)t 

hB{ V B%jxBf ^ 

5 — 5 © : — 

h S V Bt, \iBt h S„ B x, BS U BX 

h (i>Bi)*,ixBt — > \-uBt,fiBt 

The fixed point vB is used in a balanced way in the resulting derivation. Our 
use of the derived rule init* might have introduced some new freezing rules on 
greatest fixed point sublocations of B{vB) or B(fiB). Such sublocations, if already 
present in the proof, may become unbalanced, but have a smaller degree. Some new 
sublocations may also be introduced, but they are only frozen as required. The new 
derivation has a smaller multiset of unbalanced fixed points, and we can conclude 
by induction hypothesis. □ 

Balancing is the most novel part of our focalization process. This preprocessing is 
a technical device ensuring termination in the proof of completeness, whatever rule 
permutations are performed. It should be noted that balancing is often too strong, 
and that many focused proofs are indeed not balanced. For example, it is possible 
to obtain unbalanced focused proofs by introducing an additive conjunction before 
treating a greatest fixed point differently in each branch. 

4.1.2 Focalization graph. We shall now present the notion of focalization graph 
and its main properties [Miller and Saurin 2007] . As we shall see, their adaptation 
to fiMALL is trivial 8 . 

Definition 4.6. The synchronous trunk of a derivation is its largest prefix con- 
taining only applications of synchronous rules. It is a potentially open subderivation 
having the same conclusion sequent. The open sequents of the synchronous trunk 
(which are conclusions of asynchronous rules in the full derivation) and its initial 
sequents (which are conclusions of init, 1 or =) are called leaf sequents of the trunk. 

Definition 4.7. We define the relation -< on the formulas of the base sequent of 
a derivation II: P -< Q if and only if there exists P', asynchronous sub-formula 9 of 
P, and Q' , synchronous subformula of Q, such that P' and Q' occur in the same 
leaf sequent of the synchronous trunk of II. 

The intended meaning of P -< Q is that we must focus on P before Q. There- 
fore, the natural question is the existence of minimal elements for that relation, 



7 Note that instead of the unfolding coinvariant B(yB) we could have used the coinvariant uB. This 
would yield a simpler proof, but that would not be so easy to adapt for i/-focusing in Section 4.2. 
8 Note that we do not use the same notations: in [Miller and Saurin 2007] , -< denotes the subformula 
relation while it represents accessibility in the focalization graph in our case. 

9 This does mean subformula in the locative sense, in particular with (co)invariants being subfor- 
mulas of the associated fixed points. 
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equivalent to its acyclicity. 

Proposition 4.8. If H starts with a synchronous rule, and P is minimal for -< 
in H, then so are its subformulas in their respective subderivations. 

Proof. There is nothing to do if n simply consists of an initial rule. In all other 
cases (®, ©, 3 and /i) let us consider any subderivation n' in which the minimal 
element P or one of its subformulas P' occurs — there will be exactly one such 
n', except in the case of a tensor applied on P. The other formulas occurring in 
the conclusion of n' cither occur in the conclusion of II or are subformulas of the 
principal formula occurring in it. This implies that a Q -< P or Q -< P' in II' would 
yield a Q' -< P in II, which contradicts the minimality hypothesis. □ 

Lemma 4.9. The relation -< is acyclic. 

Proof. We proceed by induction on the derivation II. If it starts with an asyn- 
chronous rule or an initial synchronous rule, i.e., its conclusion sequent is a leaf 
of its synchronous trunk, acyclicity is obvious since P -< Q iff P is asynchronous 
and Q is synchronous. If II starts with ©, 3 or /Lt, the relations -< in II and its 
subderivation are isomorphic (only the principal formula changes) and we conclude 
by induction hypothesis. In the case of (g), say IT derives h T,T',P ® P', only the 
principal formula P (£> P' has subformulas in both premises h T,P and h T',P'. 
Hence there cannot be any -< relation between a formula of T and one of T' . In 
fact, the graph of -< in the conclusion is obtained by taking the union of the graphs 
in the premises and merging P and P' into P ® P'. Suppose, ah absurdo, that -< 
has cycles in II, and consider a cycle of minimal length. It cannot involve nodes 
from both V and T': since only P ® P' connects those two components, the cycle 
would have to go twice through it, which contradicts the minimality of the cycle's 
length. Hence the cycle must lie within (r, P ® P') or (r', P <E> P') but then there 
would also be a cycle in the corresponding premise (obtained by replacing P ® P' 
by its subformula) which is absurd by induction hypothesis. □ 

4.1.3 Permutation lemmas and completeness. We are now ready to describe the 
transformation of a balanced derivation into a /i-focused derivation. 

Definition 4.10. We define the reachable locations of a balanced derivation n, 
denoted by |n|, by taking the finitely many locations occurring at toplevel in sc- 
quents of n, ignoring coinvariance subderivations, and saturating this set by adding 
the sublocations of locations that do not correspond to fixed point expressions. 

It is easy to see that |n| is a finite set. Hence | IT | , ordered by strict inclusion, is 
a well-founded measure on balanced derivations. 

Let us illustrate the role of reachable locations with the following derivations: 



h St, a g b, T h S^x, BSx h vBt, a, b, T 

h vBt, a^b.T h vBt, a^b,T 

For the first derivation, the set of reachable locations is {vBt^^b, T, St, a, b}. For 
the second one, it is {vBt, a^b, T, a, b}. As we shall see, the focalization process may 
involve transforming the first derivation into the second one, thus loosing reachable 
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locations, but it will never introduce new ones. In that process, the asynchronous 
rule 2? is "permuted" under the T, i.e., the application of T is delayed by the 
insertion of a new rule. This limited kind of proof expansion does not affect 
reachable locations. A more subtle case is that of "permuting" a fixed point rule 
under T. This will never happen for /i. For u, the permutation will be guided 
by the existing reachable locations: if v currently has no reachable sublocation it 
will be frozen, otherwise it will be coinducted on, leaving reachable sublocations 
unchanged in both cases. The set of reachable locations is therefore a skeleton that 
guides the focusing process, and a measure which ensures its termination. 

Lemma 4.11. For any balanced derivation II, |II0| is balanced and \H9\ C |n|. 

Proof. By induction on II, following the definition of 110. The preservation of 
balancing and reachable locations is obvious since the rule applications in 119 are 
the same as in II, except for branches that are erased by 9 (which can lead to a 
strict inclusion of reachable locations). □ 

Lemma 4.12 Asynchronous permutability. Let P be an asynchronous for- 
mula. If h T,P has a balanced derivation II, then it also has a balanced derivation 
II' where P is principal in the conclusion sequent, and such that |n'| C |n|. 

Proof. Let Ho be the initial derivation. We proceed by induction on its sub- 
derivations, transforming them while respecting the balanced use of fixed points in 
Ho. If P is already principal in the conclusion, there is nothing to do. Otherwise, by 
induction hypothesis we make P principal in the immediate subderivations where 
it occurs, and we shall then permute the first two rules. 

If the first rule TZ is T or a non-unifiable instance of ^, there is no subderiva- 
tion, and a fortiori no subderivation where P occurs. In that case we apply an 
introduction rule for P, followed by TZ in each subderivation. This is obvious in 
the case of ^, &, V, JL, ^ and T (note that there may not be any subderivation 
in the last two cases, in which case the introduction of P replaces TZ). If P is a 
greatest fixed point that is coinducted on in IIo, we apply the coinduction rule with 
the coinvariancc premise taken in IIo, followed by TZ. Otherwise, we freeze P and 
apply TZ. By construction, the resulting derivation is balanced in the same way as 
IIo, and its reachable locations are contained in | ITo I - 

In all other cases we permute the introduction of P under the first rule. The 
permutations of MALL rules are simple. We shall not detail them, but note that 
if P is T or a non-unifiable u ^ v, permuting its introduction under the first rule 
erases that rule. The permutations involving freezing rules are obvious, and most 
of the ones involving fixed points, such as <S>/v, are not surprising: 



The Sz/v and ^/v permutations rely on the fact that the subderivations obtained 
by induction hypothesis are balanced in the same way, with one case for freezing in 
all additive branches and one case for coinduction in all branches: 



\-T,P,St hBSx^x 1 - 

\-T,P,vBt hr',P' 

h r, r, p ® p', vBt 



\-r,p,st \-r',P' 

h r,F',P eg P',St ^BSx^Sx^ 
h T, F', P <g> P', vBt 
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n e it e 

\-T,P,St hBSx^Sx 1 - \-T,P',St hBSx^x 1 - 
\-T,P,uB? \-T,P',vBt 
h T.PkP'.vBt 

I 

n n' 



h r, p, st h r, p', st e 



\-T,PkP',St hBSx^Sx) 1 - 
h T,P&P',vBt 

Another non-trivial case is <S>/^ which makes use of Lemma 4.11: 



h (r, P)a : a £ csu(u = v) J tt' 



hr,p,ii^D r-r',Q 
hr,r',p®Q,w^ 

4 



n CT nv 



h(r ; p)g r-(r,g)a 
h (r, r', p ® Q)fj : cr e csu(u = w) 

r-r,r',P®Q,u^i; 

A simple inspection shows that in each case, the resulting derivation is balanced 
in the same way as IIo, and does not have any new reachable location — the set of 
reachable locations may strictly decrease only upon proof instantiation in or 
when permuting T and trivial instances of ^ under other rules. □ 

Lemma 4.13 Synchronous permutability. Let T be a sequent of synchronous 
and frozen formulas. If h T has a balanced derivation LT in which P is minimal for 
-< then it also has a balanced derivation LT' such that P is minimal and principal 
in the conclusion sequent ofH', and |IT'| = |II|. 

Proof. We proceed by induction on the derivation. If P is already principal, 
there is nothing to do. Otherwise, since the first rule must be synchronous, P 
occurs in a single subderivation. We can apply our induction hypothesis on that 
subderivation: its conclusion sequent still cannot contain any asynchronous formula 
by minimality of P and, by Proposition 4.8, P is still minimal in it. We shall now 
permute the first two rules, which are both synchronous. The permutations of 
synchronous MALL rules are simple. As for 1, there is no permutation involving 
=. The permutations for /j, follow the same geometry as those for 3 or 0. For 
instance, <g>//i is as follows: 

hT',P',B(fiB)t hF,P \-T',P',B(iJ,B)t 

~~ — M 17 & 

hT,P \-r',P',uBt hT,T',P® P',B((iB)t 

- ' (g) \x 

h r,r',p ® p\fiBt — > hr,r,p ® p'^Bt 
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All those permutations preserve |II|. Balancing and minimality are obviously 
preserved, respectively because asynchronous rule applications and the leaf sequents 
of the synchronous trunk are left unchanged. □ 

Theorem 4.14. The [i-focused system is sound and complete with respect to 
fiMALL: If I — r is provable, then h T is provable in fiMALL. If h T has a 
quasi-finite fiMALL derivation, then I — ff- T has a (focused) derivation. 

Proof. For soundness, we observe that an unfocused derivation can be obtained 
simply from a focused one by erasing focusing annotations and removing switching 
rules ( h A ft T gives h A, V and h V ft P gives h T, P). To prove completeness, 
we first obtain a balanced derivation using Lemma 4.5. Then, we use permutation 
lemmas to reorder rules in the freezing-annotated derivation so that we can translate 
it to a /z-focused derivation. Formally, we first use an induction on the height of the 
derivation. This allows us to assume that coinvariance proofs can be focused, which 
will be preserved since those subderivations are left untouched by the following 
transformations. Then, we prove simultaneously the following two statements: 

(1) If h r, A has a balanced derivation II, where T contains only synchronous and 
frozen formulas, then h T f A has a derivation. 

(2) If h r, P has a balanced derivation II in which P is minimal for -<, and there 
is no asynchronous formula in its conclusion, then there is a focused derivation 
of h T ft P. 

We proceed by well-founded induction on | IT | with a sub- induction on the number 
of non-frozen formulas in the conclusion of II. Note that (1) can rely on (2) for the 
same |II| but (2) only relies on strictly smaller instances of (1) and (2). 

(1) If there is any, pick arbitrarily an asynchronous formula P, and apply Lemma 
4.12 to make it principal in the first rule. The subderivations of the obtained 
proof can be focused, either by the outer induction in the case of coinvariance 
proofs, or by induction hypothesis (1) for the other subderivations: if the first 
rule is a freezing, then the reachable locations of the subderivation and the 
full derivation are the same, but there is one less non-frozen formula; with all 
other rules, the principal location is consumed and reachable locations strictly 
decrease. Finally, we obtain the full focused derivation by composing those 
subderivations using the focused equivalent of the rule applied on P. 

When there is no asynchronous formula left, we have shown in Lemma 4.9 that 
there is a minimal synchronous formula P in T, A. Let V denote T, A without 
P. Using switching rules, we build the derivation of h T ft A from h r" ft P, 
the latter derivation being obtained by (2) with II unchanged. 

(2) Given such a derivation, we apply Lemma 4.13 to make the formula P principal. 
Each of its subderivations has strictly less reachable locations, and a conclusion 
of the form h T", P' where P' is a subformula of P that is still minimal by 
Proposition 4.8. For each of those we build a focused derivation of h T" ft P': 
if the subderivation still has no asynchronous formula in its conclusion, we can 
apply induction hypothesis (2); otherwise P' is asynchronous by minimality 
and we use the switching rule releasing focus on P', followed by a derivation of 
h T" ft P' obtained by induction hypothesis (1). Finally, we build the expected 
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focused derivation from those subdcrivations by using the focused equivalent of 
the synchronous freezing-annotated rule applied on P. 



In addition to a proof of completeness, we have actually defined a transformation 
that turns any unfocused proof into a focused one. This process is in three parts: 
first, balancing a quasi-finite unfocused derivation; then, applying rule permutations 
on unfocused balanced derivations; finally, adding focusing annotations to obtain a 
focused proof. The core permutation process allows to reorder asynchronous rules 
arbitrarily, establishing that, from the proof search viewpoint, this phase consists 
of inessential non-determinism as usual, except for the choice concerning greatest 
fixed points. 

In the absence of fixed points, balancing disappears, and the core permutation 
process is known to preserve the essence of proofs, i.e., the resulting derivation 
behaves the same as the original one with respect to cut elimination. A natural 
question is whether our process enjoys the same property. This is not a trivial 
question, because of the merging of coinvariants which is performed during bal- 
ancing, and to a smaller extent the unfoldings also performed in that process. We 
conjecture that those new transformations, which are essentially loop fusions and 
unrolling, do also preserve the cut elimination behavior of proofs. 

A different proof technique for establishing completeness consists in focusing a 
proof by cutting it against focused identities [Laurent 2004; Chaudhuri et al. 2008]. 
The preservation of the essence of proofs is thus an immediate corollary of that 
method. However, the merging of coinvariants cannot be performed through cut 
elimination, so this proof technique (alone) cannot be used in our case. 

4.2 The ^-focused system 

While the classification of p as synchronous and v as asynchronous is rather satis- 
fying and coincides with several other observations, that choice does not seem to 
be forced from the focusing point of view alone. After all, the fi rule also commutes 
with all other rules. It turns out that one can design a I'-focused system treating 
li as asynchronous and v as synchronous, and still obtain completeness. That sys- 
tem is obtained from the previous one by changing only the rules working on fixed 
points: 



Note that a new asynchronous phase must start in the coinvariance premise: 
asynchronous connectives in BSx or (Sx) might have to be introduced before a 
focus can be picked. For example, if B is (Xp. a^ 7 ^ _L) and S is a , one cannot focus 
on S immediately since a 1 - is not yet available for applying the init; conversely, 
if B is (Xp. a) and S is a <8> 1, one cannot focus on BS immediately. 

Theorem 4.15. The v-focused system is sound and complete with respect to 
fiMALL: If I — ff- r is provable, then h T is provable in fiMALL. If h T has a 



□ 



^THB(pB)t,A 

h r ff i-iBt, a 
hr^sf hfr BSx, {Sx) 



h r, (ggg* fr a 
h r fr LiBt, a 



h r 4 vBt 



h {fJ-Bi)* JL vBt 
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quasi-finite [iMALL derivation, then I — ff- T has a (focused) derivation. 

Proof sketch. The proof follows the same argument as for the ^-focused sys- 
tem. We place ourselves in a logic with explicit freezing annotations for atoms 
and least fixed points, and define balanced annotated derivations, requiring that 
any instance of a least fixed point is used consistently throughout a derivation, 
cither always frozen or always unfolded; together with the constraint on its sublo- 
cations, this means that a least fixed point has to be unfolded the same number of 
times in all (additive) branches of a derivation. We then show that any quasi-finite 
annotated derivation can be balanced; the proof of Lemma 4.5 can be adapted 
easily Finally, balanced derivations can be transformed into focused derivations 
using permutations: the focalization graph technique extends trivially, the new 
asynchronous permutations involving the \i rule are simple thanks to balancing, 
and the new synchronous permutations involving the v rule are trivial. □ 

This flexibility in the design of a focusing system is unusual. It is not of the same 
nature as the arbitrary bias assignment that can be used in Andrcoli's system: 
atoms are non-canonical, and the bias can be seen as a way to indicate what is the 
synchrony of the formula that a given atom might be instantiated with. But our 
fixed points have a fully defined logical meaning, they are canonical. The flexibility 
highlights the fact that focusing is a somewhat shallow property, accounting for local 
rule permutability independently of deeper properties such as positivity. Although 
we do not see any practical use of such flexibility, it is not excluded that one 
is discovered in the future, like with the arbitrary bias assignment on atoms in 
Andrcoli's original system. 

It is not possible to treat both least and greatest fixed points as asynchronous. 
Besides creating an unclear situation regarding init, this would require to balance 
both kinds of fixed points, which is impossible. In /i-focusing, balancing greatest 
fixed points unfolds least fixed points as a side effect, which is harmless since there 
is no balancing constraint on those. The situation is symmetric in j/-focusing. 
But if both least and greatest fixed points have to be balanced, the two unfolding 
processes interfere and may not terminate anymore. It is nevertheless possible to 
consider mixed bias assignments for fixed point formulas, if the init rule is restricted 
accordingly. We would consider two logically identical variants of each fixed point: 
/x + and v + being treated synchronously, fi~ and v~ asynchronously, and the axiom 
rule would be restricted to dual fixed points of opposite bias: 

h (tiBt)+, {vBt)- h {vBt)+, (/iSFr 

This restriction allows to perform simultaneously the balancing of v~ and [i~ with- 
out interferences. Further, we conjecture that a sound and complete focused proof 
system for that logic would be obtained by superposing the /i-focuscd system for 
fi + , v~ and the ^-focused system for fi~ , v + . 

4.3 Application to ^tLJL 

The examples of Section 2.6 showed that despite its simplicity and linearity, /iMALL 
can be related to a more conventional logic. In particular we are interested in 
drawing some connections with /iLJ [Baelde 2008a], the extension of LJ with least 

ACM Transactions on Computational Logic, Vol. V, No. N, December 2010. 



Least and Greatest Fixed Points in Linear Logic • 41 

and greatest fixed points. In the following, we show a simple first step to this 
program, in which we capture a rich fragment of /iLJ even though //MALL does 
not have exponentials. In this section, we make use of the properties of negative 
formulas (Definition 2.11), which has two important consequences: we shall use the 
/i- focused system, and could not use the alternative ^-focused one, since it does 
not agree with the classification; moreover, we shall work in a fragment of /iMALL 
without atoms, since atoms do not have any polarity. 

We have observed (Proposition 2.12) that structural rules are admissible for neg- 
ative formulas of /iMALL. This property allows us to obtain a faithful encoding of 
a fragment of /iLJ in /iMALL despite the absence of exponentials. The encoding 
must be organized so that formulas appearing on the left-hand side of intuitionistic 
sequents can be encoded positively in //MALL. The only connectives allowed to 
appear negatively shall thus be A, V, =, \i and 3. Moreover, the encoding must 
commute with negation, in order to translate the (co)induction rules correctly. This 
leaves no choice in the following design. 

Definition 4.16 %, Q, /iLJL. The fragments H and Q arc given by the following 
grammar: 

G ■■■= G f\G\G\/G\s = t\ 3x.Gx \ fi{XpXx.g P x)£\ pt 

Vx.Qx \ HdQ\ v(XpXx.Qpx)t 
H ::= HAH\H\/H\s = t\ Bx.Hx | p{\p\x.Hpx)t\ pt 

The logic /iLJL is the restriction of /iLJ to sequents where all hypotheses are in 
the fragment T-L, and the goal is in the fragment G- This implies a restriction of 
induction and coinduction rules to (co) invariants in H. 
Formulas in H and G are translated in /iMALL as follows: 



[PAQ] 


def 


[P] ® [Q] 


\ix.Px\ 


def 


Wx.[Px] 


[PVQ] 


def 


[P] e [Q] 


[vBt\ 


def 


v\B\t 


[s = t] 


def 


S = t 


[P^Q] 


def 


[P] - [Q] 


[3x.Px] 


def 


3x.[Px] 


[XpXx.Bpx] 


def 


XpXx. [Bpx] 


[/if?i| 


def 


fi[B]t 


\pt\ 


def 


pt 



For reference, the rules of /iLJL can be obtained simply from the rules of the 
focused system presented in Figure 3, by translating T; T' h P into T,T' h P, 
allowing both contexts to contain any T-L formula and reading them as sets to allow 
contraction and weakening. 

Proposition 4.17. Let P be a G formula, and T a context of '% formulas. Then 
rhP has a quasi-finite fiLJL derivation if and only if h [T]^, [P] has a quasi-finite 
fiMALL derivation, under the restrictions that (co) invariants in fiMALL are of the 
form Xx. [Sx] for Sx £ [H]. 

Proof. The proof transformations arc simple and compositional. The induction 
rule corresponds to the v rule for (//[i?]^)^, the proviso on invariants allowing the 
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translations: 

T,St^G BSxhSx h [r] x ,[S] x £[G] h MS^x , [S]i 



r, \iBtY- G <— > h [r]- 1 , [G] 

Here, [S] stands for Ax. [5x], and the validity of the translation relies on the fact 
that [-BjfS] x is the same as [BSx]^. Note that BS belongs to T~L whenever both 
S and B are in "H, meaning that for any p and x, Bpx G %. The coinduction rule 
is treated symmetrically, except that in this case B can be in Q: 

ThSt SxhBSx h[r]MS]f \- [S\^,[B][S\S 

ThvBt < — > hT^^F 

In order to restore the additive behavior of some intuitionistic rules {e.g., AR) and 
translate the structural rules, we can contract and weaken the negative /zMALL 
formulas corresponding to encodings of % formulas. □ 

Linear logic provides an appealing proof theoretic setting because of its emphasis 
on dualities and of its clear separation of concepts (additive vs. multiplicative, 
asynchronous vs. synchronous). Our experience is that /iMALL is a good place to 
study focusing in the presence of least and greatest fixed point connectives. To 
get similar results for /xLJ, one can either work from scratch entirely within the 
intuitionistic framework or use an encoding into linear logic. Given a mapping 
from intuitionistic to linear logic, and a complete focused proof system for linear 
logic, one can often build a complete focused proof-system for intuitionistic logic. 

h F ^ h [F] 



HfF* hft [F] 

The usual encoding of intuitionistic logic into linear logic involves exponentials, 
which can damage focusing structures by causing both synchronous and asyn- 
chronous phases to end. Hence, a careful study of the polarity of linear connectives 
must be done (cf. [Danos et al. 1993; Liang and Miller 2007]) in order to minimize 
the role played by the exponentials in such encodings. Here, as a result of Propo- 
sition 4.17, it is possible to get a complete focused system for /iLJL that inherits 
exactly the strong structure of linear /i-focused derivations. 

This system is presented in Figure 3. Its sequents have the form L; V h P where 
T' is a multiset of synchronous formulas (fragment %) and the set T contains frozen 
least fixed points in %. First, notice that accordingly with the absence of exponen- 
tials in the encoding into linear logic, there is no structural rule. The asynchronous 
phase takes place on sequents where V is not empty. The synchronous phase pro- 
cesses sequents of the form T; h P, where the focus is without any ambiguity on 
P. It is impossible to introduce any connective on the right when T' is not empty. 
As will be visible in the following proof of completeness, the synchronous phase in 
/iLJL does not correspond exactly to a synchronous phase in /iMALL: it contains 
rules that are translated into asynchronous /iMALL rules, namely implication, uni- 
versal quantification and coinduction. We introduced this simplification in order to 



ACM Transactions on Computational Logic, Vol. V. No. N, December 2010. 



Least and Greatest Fixed Points in Linear Logic • 43 



simplify the presentation, which is harmless since there is no choice in refocusing 
afterwards. 

Asynchronous phase 

r ; r',p,Qi-p r ; r',Phfl r ; r',Qhfi 
r ; r',p a q h r r ; r',PvQ h r 

r ; r',P3; h q 

T;T',3x.Px h Q 
{(T;V h P)0 : 9 6 cs«(s = t)} 

r ; r',s = t h p 

r )( uBt-r'i-p se?i r ; r',5t*r-p -,BSx\-s& 
r-,r' , nBt\- p r-,r' , fiBt\- p 

Synchronous phase 

r ; h^ r ; hP r;hAi r ; ihB 

T;hiAB r ; h A V Ai r ; h A D P 

T; h Pt T; h Pa; 
r ; ht = t r ; h 3x.Px T;\-Vx.Px 

r ; h B{p.B)t 

T, liBi; h /uPt T; h fiBt 

Sen T;h St ;SxhBSx 
V; h vBt 

Fig. 3: Focused proof system for /xLJL 

Proposition 4.18 Soundness and completeness. The focused proof system 
for /iLJL is sound and complete with respect to /iLJL: any focused fj.LJL derivation 
ofT';T h P can be transformed into a [iLJL derivation of r',T h P; any quasi- 
finite /J.LJL derivation of T h P can be transformed into a fiLJL derivation of 
■ ;T h P. 

Proof. The soundness part is trivial: unfocused /LtLJL derivations can be ob- 
tained from focused derivations by removing focusing annotations. Completeness 
is established using the translation to linear logic as outlined above. Given a /xLJL 
derivation of T h P, we obtain a ^MALL derivation of [r] h [P] using Proposi- 
tion 4.17. This derivation inherits quasi-finiteness, so we can obtain a /x-focused 
//MALL derivation of I — ff- [r] , [P] . All sequents of this derivation correspond to 
encodings of /iLJL sequents, always containing a formula that corresponds to the 
right-hand side of /xLJL sequents. By permutability of asynchronous rules, we can 
require that asynchronous rules are applied on right-hand side formulas only after 
any other asynchronous rule in our /x-focused derivation. Finally, we translate that 
focused derivation into a focused /xL JL derivation. Let T be a multiset of least fixed 
points in H, V be a multiset of % formulas, and P be a formula in Q. 
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(1) If there is a ^-focused derivation of h ([r]- 1 )* ft [F]- 1 , [P] or A ([r]^)*, [P] ft 
[r']- 1 then there is a focused /iLJL derivation of T; T' h P. 

(2) If there is a /i-focused derivation of h ([r]- 1 )* ft [P] then there is a focused 
/iLJL derivation of T; h P. 

We proceed by a simultaneous induction on the /i-focused derivation. 

(1) Since [P] is the only formula that may be synchronous, the /i-focused derivation 
can only start with two switching rules: either [P] is moved to the left of the 
arrow, in which case we conclude by induction hypothesis (1), or T' is empty 
and [P] is focused on, in which case we conclude by induction hypothesis (2). 
If the /i-focused derivation starts with a logical rule, we translate it into a 
/iLJL focused rule before concluding by induction hypothesis. For instance, 
the & or ^ rule, which can only be applied to a formula in [r']^, respectively 
correspond to a left disjunction or equality rule. Other asynchronous /iMALL 
rules translate differently depending on whether they are applied on \F] or [P]: 
^ can correspond to left conjunction or right implication; v to left /i (induction) 
or right v (coinduction); V to left 3 or right V. Note that in the case where 
[P] is principal, the constraint on the order of asynchronous rules means that 
r is empty, which is required by synchronous /iLJL rule. Finally, freezing is 
translated by the /iLJL rule moving a least fixed point from V to T. 

(2) If the /i-focused derivation starts with the switching rule releasing focus from 
[P] we conclude by induction hypothesis (1). Otherwise it is straightforward 
to translate the first rule and conclude by induction hypothesis (2): (g), ©, =, 
3 and /i respectively map to the right rules for A, V, =, 3 and /i. 

Note, however, that the tensor rule splits frozen formulas in ([r]^)*, while the 
right conjunction rule of /iLJL docs not. This is harmless because weakening is 
obviously admissible for the frozen context of /iLJL focused derivations. This 
slight mismatch means that we would still have a complete focused proof system 
for /iLJL if we enforced a linear use of the frozen context. We chose to relax 
this constraint as it does not make a better system for proof search. 

□ 

Although /iLJL is only a small fragment of /iLJ, it catches many interesting and 
useful problems. For example, any Horn-clause specification can be expressed in 
% as a least fixed point, and theorems that state properties such as totality or 
functionality of predicates defined in this manner are in Q. Theorems that state 
more model-checking properties, of the form Vx. P x D Q x, are in Q provided that 
P and Q are in T-L. Further, implications can be chained through a greatest fixed 
point construction, which allows to specify various relations on process behaviors. 
For example, provided that one-step transitions u — »• v are specified in simulation 
is naturally expressed in Q as follows: 

vSXxXy. Vx'. x — > x' D By', y — > y' A S x' y' 

Finally, the theorems about natural numbers presented in Section 2.6 are also in 
Q. Although a formula in Q can a priori be a theorem in /iLJ but not in /iLJL, we 
have shown [Baelde 2009] that /iLJL is complete for inclusions of non-deterministic 
finite automata — A C B being expressed naturally as Vu>. [A]w z> [23] to. 
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Interestingly, the /iLJL fragment has already been identified in LINC [Tiu et al. 
2005] and the Bedwyr system [Baclde et al. 2007] implements a proof-search strat- 
egy for it that is complete for finite behaviors, i.e., proofs without (co)induction 
nor axiom rules, where a fixed point has to be treated in a finite number of unfold- 
ings. This strategy coincides with the focused system for /iLJL, where the finite 
behavior restriction corresponds to dropping the freezing rule, obtaining a system 
where proof search consists in eagerly eliminating any left-hand side (asynchronous) 
formula before working on the goal (right-hand side), without ever performing any 
contraction or weakening. The logic /iLJ is closely related to LINC, the main dif- 
ference being the generic quantifier V, which allows to specify and reason about 
systems involving variable binding, such as the 7r-calculus [Tiu 2005]. But we have 
shown [Baeldc 2008b] that V can be added in an orthogonal fashion in /iLJ (or 
/iMALL) without affecting focusing results. 



5. CONCLUSION 

We have defined /iMALL, a minimal and well-structured proof system featuring 
fixed points, and established the two main properties for that logic. The proof of 
cut elimination is the first contribution of this paper, improving on earlier work 
and contributing to the understanding of related works. The second and main 
contribution is the study and design of focusing for that logic. This challenging 
extension of focused proofs forces us to reflect on the foundations of focusing, and 
brought new proof search applications of focusing. We have shown that /iMALL is 
a good logic for the foundational study of fixed points, but also a rich system that 
can directly support interesting applications: combining observations on admissible 
structural rules with our /i-focused system, we were able to derive a focused proof 
system for an interesting fragment of /iLJ. 

Although carried out in the simple logic /iMALL, this work on fixed points has 
proved meaningful in richer logics. We have extended our focusing results to /iLL 
and /tLJ [Baeldc 2008a] , naturally adapting the designs and proof techniques de- 
veloped in this paper. However, focused systems obtained by translating the target 
logic into /iMALL (or /iLL) are often not fully satisfying, and better systems can be 
crafted and proved complete from scratch, using the same techniques as for /iMALL, 
with a stronger form of balancing that imposes uniform asynchronous choices over 
all contractions of a formula. 

Further work includes various projects relying on /iMALL and its extensions, from 
theory to implementation. But we shall focus here on important open questions 
that are of general interest concerning this formalism. An obvious first goal would 
be to strengthen our weak normalization proof into a strong normalization result. 
The relationship between cut elimination and focusing also has to be explored more; 
we conjectured that focusing preserves the identity (cut elimination behavior) of 
proofs, and that the notion of quasi-finiteness could be refined so as to be preserved 
by cut elimination. Finally, it would be useful to be able to characterize and control 
the complexity of normalization, and consequently the expressiveness of the logic; 
here, one could explore different classes of (co)invariants, or other formulations of 
(co)induction. 
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